Black Hat USA 2008 Speaker List

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Keynote: Complexity in Computer Security: a Risky Business

Ian O. Angell, Professor of Information Systems. London School of Economics

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.

Ian Angell has been Professor of Information Systems at the London School of
Economics since 1986. Prior to that he researched and taught Computer
Science at Royal Holloway College, and University College London.

Angell has very radical and constructive views on his subject, and is very
critical of what he calls the pseudo-science of academic Information
Systems. He has gained a certain notoriety worldwide for his aggressive
polemics against the inappropriate use of artificial intelligence and
so-called knowledge management, and against the hyperbole surrounding
e-commerce.

His main research work concentrates on organizational and national I.T.
policies, on strategic information systems, and on computers and risk (both
opportunities and hazards), particularly the systemic risks inherent in all
socio-technical systems and the security threats posed to organisations by
the rapidly diffusing international information infrastructure.

Winning the Race to Bare Metal – UEFI Hypervisors

Don Bailey, Martin Mocko

Track: Turbo Talk

Combining UEFI with hypervisors paves the way for a new class of
vulnerability. We will present a discussion and demonstration on the threat and
opportunity that UEFI based hypervisors pose to and for system security. The
emerging support for UEFI in commodity OSes (Microsoft Vista SP1) makes a rich
set of pre-OS capabilities possible. The advent of processors that support
virtualization in silicon over the past few years have made high performing
commodity hypervisor a reality. We will discuss and demostrate loading a
hypervisor via the pre-OS features of UEFI.

Don Bailey

Don is founder and CEO of Hypervista Technologies
(http://hypervista-tech.com), a Northern Virgina company focused on providing
hypervisor based security solutions. Prior to founding Hypervista, Don spent 25
years at CIA developing, managing and deploying cutting edge technical systems.
Don has been a keynote speaker at the annual multi-national conference sponsored
by NSA. Don has alsp presented at CIA's Emerging Technologies Conference. Don
has spent the past three years developing a custom lightweight hypervisor and a
runtime hypervisor debugger.

Keynote: TBD

Rod Beckström, Director of the National Cyber Security Center

Rod Beckström is the Director of the National Cyber Security Center (NCSC) in the U.S.
Department of Homeland Security and reports to Secretary Michael Chertoff.

Rod co-authored The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations that presents a new model for analyzing organizations, leadership style and competitive strategy. He has co-authored three other books including one on Value at Risk (VAR), a fundamental theory of financial risk management now used to regulate banking globally.

As an entrepreneur Rod started his first company when he was 24 in a garage apartment and subsequently grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles and Hong Kong. The company, CAT•S Software Inc., went public and was later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of advisors and directors, respectively.

Rod also co-founded Mergent Systems with Dr. Amos Barzilay and Assistant Professor Michael Genesereth of the Stanford Graduate School of Computer Science. Mergent was a pioneer in inferential database engines and was sold to Commerce One for $200 million. He also co-founded TWIKI.NET, a company offering service and support for an open source wiki and collaboration software system.

From 1999 to 2001 Rod served as the Chairman of Privada, Inc. Privada was a pioneer in technology to enable private, anonymous and secure credit card transaction processing over the internet.

Rod has helped to start numerous non-profit groups and initiatives. In 2003 he co-founded a peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. This group took symbolic actions which led to opening the borders to citizens, trade and contributed to ending the most recent Indo-Pak war. He serves on the boards of the Environmental Defense Fund and the Jamii Bora Trust (micro-lending) in Africa.

Rod graduated from Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland.

RE:Trace - Applied Reverse Engineering on OS X

Tiller Beauchamp, David Weston

Track: Reverse Engineering

This paper will detail the newest developments in RE:Trace, a reverse
engineering framework based on Ruby and DTrace. We will discuss implementations
for walking and searching the heap on OS X, tracing for kernel and driver
vulnerabilities, pinpointing format string bugs and leveraging custom
application probes, such as those built into browser and database software.

Tiller Beauchamp

Tiller Beauchamp works as a senior security consultant for SAIC providing
security auditing services to large commercial, state and DoD customers. His
areas of expertise include network penetration testing, web application
security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer
Science from the University of Oregon with a specialization in software
engineering. He has worked as the lead developer for Team Defend, SAIC's
portable computer and network defense exercise. Beauchamp is also responsible
for maintaining the company's penetration toolkit and penlab.

David Weston

David Weston is a Security Engineer in the Windows Experience team at Microsoft.
He is an experienced security researcher and has discovered vulnerabilities in software
from Microsoft, Immunity, and the Defense Information Systems Agency. He has an
undergraduate degree from the University of California at Santa Barbara and is
currently pursuing a graduate degree with a research emphasis on vulnerability
exploitation.

Predictable RNG in the Vulnerable Debian OpenSSL package, the What and the How

Luciano Bello, Maximiliano Bertacchini

Track: Network

Recently, the Debian project announced an OpenSSL package vulnerability which they had
been distributing for the last two years. This bug makes the PRNG predictable, affecting
the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn).
We will talk about this bug, its discovery and publication, its consequences, and exploitation.
As well, we will demonstrate some exploitation tools.

Luciano Bello

Luciano Bello is an Engineer (Information Systems) and works as a researcher at CITEFA's
Si6 Information Security Labs in Buenos Aires, Argentina. He has been a Debian Developer since 2007.

Maximiliano Bertacchini

Maximiliano Bertacchini is a PhD student in Computer Engineering at ITBA (Technological
Institute of Buenos Aires). He is a researcher at CITEFA's Si6 Information Security Labs
in Buenos Aires, Argentina.

When Lawyers Attack: Dealing With the New Rules of Electronic Discovery

John Benson, Electronic Discovery Consultant

Track: Deep Knowledge

The legal community is slowly accepting that the changes to the Federal rules which change the
law's approach to electronic evidence are not going away. Vendors are clamoring to sell their
e-discovery "solutions" to law firms and corporations alike, often taking advantage of the
uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations
approach their data much in the same way Sarbanes-Oxley has over the past few years.
Instead of merely creating compliance headaches for security professionals, however,
these changes take data security out of the hands of those charged to protect it and
spread data to the wind.

More frightening for individuals doing security research is the fact that these
rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations
millions of dollars (but doesn't have to) and will empower attendees with the knowledge they
need to deal with this new legal environment.

John Benson currently works as an Electronic Discovery Consultant for a large Midwestern law firm.
A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association
and serves as the Chairman of the Kansas City Metropolitan Bar Association Computer Law and
Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct
professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer
Congress, a hackerspace and umbrella organization for the advancement of user-driven technology
activities in Kansas City. He has presented at hacker cons around the country including LayerOne,
Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio
communications at DEFCON. His website can be found at http://www.john-benson.com.

No More 0-Days (or Code-Based Intrusion Detection by Korset)

Ohad Ben-Cohen

Track: 0-Day Defense

In order to identify malicious activity, Host-based Intrusion Detection
Systems often monitor the system calls emitted by a process, and then compare
them to a pre-constructed model of normal behavior. The model can either be learned during a training session, or manually
written by the user. Alas, the former suffers from false positives, and therefore repeatedly requires user intervention, and
the latter is tedious and demanding.

By statically analyzing an application's source/object code, we build its
control flow graph (CFG), which is then used by the Kernel to verify the legitimacy of the issued system calls and
their order. This method enjoys a powerful property of provable zero false positives,
since a deviation from a (non self-modifying) program's CFG can only be explained as an intrusion.

We present Korset, an Open Source Linux prototype which implements this
approach via:

An automatic analyzer that builds the CFG as part of the compilation process

A kernel agent that enforces the policy induced by the CFG, and terminates subverted processes.

We have successfully used Korset to automatically construct CFGs for the
entire GNU C library, and demonstrated its ability to block buffer overflow
attacks.

Korset introduces a viable IDS methodology that can stop future, or
publicly-unknown exploits. Furthermore, run time performance measurements of
Korset show negligible overheads.

In collaboration with Avishai Wool, Tel-Aviv University.

Ohad Ben-Cohen

Ohad Ben-Cohen is a Linux Kernel developer and consultant, bringing years
of Information Security expertise and Free / Open Source Software know how.
His recent Open Source work includes writing the Bluelink Linux driver,
Bluetooth power management support for the OMAP2430 kernel and the Linux
port of TI's FM and Bluetooth stack. He teaches System Programming at
Tel-Aviv University, where he conducts his research and develops Korset.

Free-Space Quantum Key Distribution at GHz Transmission Rates

Joshua Bienfang

Track: Turbo Talks

Quantum mechanics make possible some things that are impossible in the "classical" world of ordinary experience, and which even seem to contradict common sense. Some of these spooky effects are coming into practical use in security applications. The Quantum Spookshow of the National Institute of Standards and Technology (NIST) and the National University of Singapore (NUS) demonstrates quantum cryptography and quantum entanglement on a four-node quantum network, which supports quantum encrypted streaming video and violations of local realism. Participants are encouraged to interact with the light beams that constitute the physical link of this network, and to meet physicists who have designed and built quantum networks. Quantum mechanics provides methods of encryption that are secure from eavesdropping attacks against the quantum channel, but in any actual system there are points of vulnerability, e.g. correlations of classical noise in the operation of quantum elements. Participants will have a chance to discover vulnerabilities by hands-on interaction with our systems. Dr. Joshua Bienfang will give a Turbo Talk on quantum encryption at Black Hat at 4:45 p.m. on Thursday, August 7. This demo to run 1330 to 1930 on Wednesday, 1200 to 1800 on Thursday, in Turin Room located on the Third Floor. For further information, see http://havephotonswilltravel.com

Sergey Bratus

Track: OTA

Wireless devices that speak 802.11a/b/g differ, among other things, in their
responses to non-standard and malformed frames. We show that
these differences can suffice to distinguish between APs and other devices
from different vendors, and will demo a tool that fingerprints APs by their
responses to such frames. Our method is active and therefore ``noisy'', but
works (unlike other previously presented fingerprinting methods) without either
establishing or observing established associations. We also explore timing
characteristics of the responses to refine our fingerprint.

Our tool can be used as a prelude to any other interaction with an AP when
one wants to assure that it is what it claims to be. It will be useful when one
does not trust the suspicious AP (or one's own driver/OS) enough even to engage
in a cryptographic exchange to authenticate it. It will also serve as a
cautionary tale for the designers of future wireless L2 protocol
implementations.

This is joint work with Daniel Peebles and Cory Cornelius (Institute for
Security Technology Studies, Dartmouth College).

Sergey Bratus

Sergey Bratus is a Senior Research Associate at the Institute for Security
Technology Studies at Dartmouth College. His current research focus is on
applications of data organization and other AI techniques to log and traffic
analysis. His other interests include Linux kernel security (kernel exploits,
LKM rootkits and hardening patches to various security policy mechanisms) and
wireless networking. Before coming to Dartmouth, he worked on statistical
learning methods for natural text processing and information extraction at BBN
Technologies. He has a Ph.D. in Mathematics from Northeastern University.

SmartCard APDU Analysis

Ivan Buetler, Presenter

Track: Hardware

SmartCards are commonly used for authentication, or securing e-mails or transactions.
The concept armors crypto functions to a tamper proof architecture. Software cannot be
protected by Software - and this paradigm forces the need for secure devices. But how does
it work? How does a Windows computer communicate to the SmartCard device? Can hackers inject
malware in between the communication? This presentation addresses this items. The Compass
Security APDU debugger allowes you to halt, alter, intercept APDU commands and disclose
hidden secrets. The APDU debugger is part of the presentation.

Ivan Buetler co-founded Compass Security AG Switzerland in February 1999
where he works as a Security Analyst and Managing Director. Additionally, Ivan works
as a teacher with both the University of Applied Sciences Rapperswil and Lucerne
University of Applied Sciences and Arts. He is also the author of various publications
on IT and internet security. In his spare time he heads up the annual Hack&Learn Wargames
Switzerland.

Yuriy Bulygin, Presenter, Security Center of Excellence

Track: Root Kit Arms Race

This work introduces an approach to detect hardware-assisted virtualization malware different from
currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside
chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system.
We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization
rootkits implemented in north-bridge firmware.

Yuriy Bulygin so enjoyed watching the Chernobyl Nuclear Power Plant burn at age 7 he decided to learn how
things work and why they fail. Yuriy recieved his Masters in Applied Math and Physics while attempting to hack the physics of
Jupiter's atmosphere which appeared to be too far from the Earth. He then received his Ph.D. in Crypto from Moscow Institute
of Physics and Technology (Phystech) in Russia. Yuriy works for Intel's Security Center of Excellence where he leads
security analysis and pen-testing of Intel hardware/software and teaches secure coding to Intel engineers. He is also a
core member of Intel PSIRT. Prior to joining Intel Yuriy was a member of the technological research team at Kaspersky Lab
in Russia.

FLEX, AMF 3 and BlazeDS: An Assessment

Jacob Carlson, Kevin Stadmeyer

Track: App Sec 1.0 / 2.0

Adobe FLEX with BlazeDS offers developers a streamlined application
development paradigm, letting them create rich Internet applications with little
exertion. As always, though, ease of implementation often results in incomplete
engineering. In this presentation Jacob Carlson and Kevin Stadmeyer offer their
assessment of the FLEX and BlazeDS application architectures as well as a
detailed examination of the Action Message Format version 3. We will provide
developers and administrators clear examples of how to do things wrongly, how to
do them rightly and explain exactly how each component works internally.

Jacob Carlson

Jacob Carlson has been a professional security researcher, consultant and
developer for over 10 years. His experience includes application assessment,
reverse engineering, hostile binary analysis, exploit development, architecture
review and penetration testing. He has presented at conferences and private
training engagements across Europe and the United States and was a co-author of
"Internet Site Security", published by Addison-Wellesley in 2002. He is a
Project Lead in the Trustwave development team and spends an unhealthy portion
of his free time performing protocol and binary analysis.

Kevin Stadmeyer

Kevin Stadmeyer has been a security researcher and consultant for the last 5
years. He has worked on a variety of applications over those years across all
major industries. His expertise is in application assessment, application-layer
protocols analysis and penetration testing as well as developer training and a
variety of fine English gins. Kevin works for Trustwave in the SpiderLabs
Application Penetration Testing team.

Cisco IOS Shellcodes/Backdoors

Gyan Chawdhary, Varun Uppal

Track:

It has been more than three years since Michael Lynn first demonstrated a fully interactive shell code at
Blackhat 2005 for Cisco's proprietary Internetworking Operating System (IOS). However, due to the legal
obligations imposed by Cisco and ISS, the technical information surrounding this research could not be
revealed in greater detail, which stifled continued security research in this area. The presentation will
cover significant advances in IOS shell code development and looks at its subsequent impact on modern day
routing infrastructure. IOS specific payloads including bind shell, reverse shell, 2 byte shell codes and
bypassing the check heaps process in IOS 12.4 shall all be covered from both a practical and theoretical
standpoint as well as a detailed overview of IRM's techniques used to develop these payloads. Furthermore,
building a complete IOS debugging environment and identifying new attack vectors will also be covered in
the presentation, allowing researchers to establish a fully working environment to develop IOS specific
code, execution payloads, memory resident backdoors and to conduct vulnerability research on Cisco
embedded devices.

Gyan Chawdhary

Gyan Chawdhary is a Senior Consultant heading up the Embedded Systems Center
of Excellence at IRM’s European Technical Centre in UK. He is a key member of
IRM’s Code auditing & AP team and performs a range of consultancy services which
include code auditing, software security and vulnerability assessments. With
over 9 years of experience in Information Security, Gyan’s experience includes a
broad range of market verticals with specialization in the financial services
space. Prior to joining IRM, Gyan was a Managing Consultant at Mahindra British
Telecom, where he was involved in establishing and managing MBT’s Vulnerability
Assessment Centre and conducting research and product assessments for various
in-house and commercial applications.

Varun Uppal

Varun Uppal is a Senior Consultant at Information Risk Management Plc where
he heads the Application Risk Assessment and Code Review Centers of Excellence.
With an experience spanning over 5 years and a gamut of verticals, Varun has
worked on a variety of commercial and non-commercial research engagements
covering areas such as high speed messaging protocols, embedded devices and
application risk modeling. Prior to IRM Plc, Varun designed and implemented the
application security practice at Kanbay (Capgemini, Financial Services SBU),
where he consulted to clients from the financial vertical.

SQL Injection Worms for Fun and Profit

Justin Clarke

Track: Turbo Talks

Earlier this year the first (publicly known) SQL Injection worm appeared.
This worm used SQL Injection to insert malicious scripting tags into the pages
of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to
block. In other words, very much version 0.1 of what a SQL Injection worm can
achieve.

This talk is going to discuss how far the rabbit hole can go with SQL
injection based worms, including full compromise of the server OS, and why we
should be worried by what is going to be coming next out of
Russia/China/wherever, including a live demo of a proof of concept SQL injection
worm, "weaponized".

Justin Clarke

Justin is a Principal Consultant with Gotham Digital Science. He is the
co-author of "Network Security Tools" (O'Reilly, 2005), a contributing author to
"Network Security Assessment" (O'Reilly, 2007), and has spoken at Blackhat,
EuSecWest, RSA, and OSCON in the past. He has over 10 years of security testing
and consulting experience in network, application, source code and wireless
testing work for some of the largest commercial and government organizations in
the United States, United Kingdom, and New Zealand. Justin is active in
developing security tools for penetrating and defending applications, servers,
and wireless networks (e.g. SQLBrute), and as a compulsive tinkerer he can't
leave anything alone without at least trying to see how it works.

Commission on Cyber Security for the 44th Presidency

Panel Discussion

The Center for Strategic and International Studies (CSIS) has established a
Commission on Cyber Security for the 44th Presidency - the administration that
will take office in January 2009. The goal of the nonpartisan Commission is to
develop recommendations for a comprehensive strategy to improve cyber security
in federal systems and in critical infrastructure. Hear what is going on with
this Commission, ask questions, and provide input on what you think should be
addressed at a Presidential level for the next administration.

Michael Assante

Michael J. Assante, a recognized security and infrastructure protection visionary and new product development
leader, brings a powerful combination of leadership/domain experience, technological vision and strategy development
to the Idaho National Lab (INL). Selected by his peers as the winner of the Information Security Magazine’s 2007
security 7 leadership award for his efforts as a “strategic thinker”.

Prior to assuming his strategic leadership position at INL, Mr. Assante was a vice president and Chief
Security Officer at American Electric Power, the largest generator of electric power in the US, serving 5
million customers in eleven states. He provided leadership, developed and implemented strategies to enhance
security and business continuity for AEP; he was also responsible for protecting and maintaining corporate
facilities, critical operating assets and property; and ensured the security and continued preservation of
all corporate information and proprietary data and the technology that supports it. Selected for outstanding
contribution at the RSA 2005 Conference and awarded the outstanding achievement in the practice of security
within an organization. He has been recognized by SC Magazine among all Chief Security Officers as one of
two finalists for the global 2005 awards as CSO of the year. He was selected as a finalist for Information
Security Executive of the Year of the Midwest in 2005. In 2003, Mr. Assante was awarded best governance
program “The Best of the Best – Best Governance Program,” Information Security Magazine, December 2003 for
the establishment of an enterprise executive security committee.

Prior to assuming a vice president’s position as Chief Security Officer at AEP, Mr. Assante as a reserve
naval intelligence officer was filling a critical position at the National Infrastructure Protection Center.
In 1997, Mr.Assante was named as a Naval Intelligence Officer of the Year. In 2002 Assante was selected as
one of Columbus Ohio’s Top 40 people under 40.

Jerry Dixon

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President
for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) &
US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission
on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify
cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for
the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which
serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber
infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial
development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating
cyber threat warning information, and coordinating incident response activities across federal, state, local
government agencies, and private sector organizations, making it Homeland Security's primary element of cyber
preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer
Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability
for the IRS and developed their ability to detect and respond to protect American taxpayer's private information
from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International,
a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tom Kellerman

Tom Kellermann is responsible for building Core's relationships with key industry and government partners,
and helping further the acceptance of auditing security defenses to reduce organizations' operational risk.

Additionally, Kellermann represents Core at US, international and industry security working groups, helping
these organizations promote improved security practices and policies. Specifically, Tom is a Commissioner and
Chair of the Threats Working Group on The Commission on Cyber Security for the 44th Presidency. Tom also
serves as the Chair of the Technology Working Group for the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Senior Data Risk Management Specialist the World Bank
Treasury Security Team. Tom was responsible for Cyber-intelligence and policy management within the
World Bank Treasury.

Tom regularly advised central banks around the world per their cyber-risk posture and layered security architectures.

Along with Thomas Glaessner and Valerie McNevin, he co-authored the book E-safety and Soundness: Securing Finance in a New Age and the White Paper,
E-security: Risk Mitigation in Financial Transactions. Tom is also the author of numerous World Bank white papers on cyber security: Mobile Risk Management,
The Digital Insider, Phishing in Digital Streams, Bots: Cyber Parasites, Zero Day, and Money Laundering in Cyberspace. See:
http://www.worldbank.org/finance/esecurity

Tom is an active member of the IP Governance Task Force, The National Consumer League's Anti-Phishing Working
Group, The New York Chapter of Infragard, the IPv6 Forum and is an active member of the American Bar Association's
working group on Cyber-crime. Tom is a Certified Information Security Manager (CISM).

Marcus Sachs

Marcus Sachs is a member of the CSIS Commission on Cyber Security for the 44th Presidency and since 2003 has
volunteered as the director of the SANS Internet Storm Center. He is a retired US Army officer, a former
Presidential appointee to the staff of the National Security Council, and was part of the original cadre
of DHS' National Cyber Security Division in 2003. He currently works at Verizon as an Executive Director
of Government Affairs for National Security Policy. Prior to joining Verizon in 2007 he was the deputy
director of SRI International's Computer Science Laboratory.

Amit Yoran

Amit Yoran led the management buyout of NetWitness from ManTech in 2006 and serves as the Chairman and CEO.
Prior to NetWitness, he was appointed as Director of the National Cyber Security Division of Homeland Security, and
as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. Formerly Mr Yoran served as the Vice President
of Worldwide Managed Security Services at the Symantec Corporation. Mr. Yoran was the co-founder of Riptech, a
market leading IT security company, and served as its CEO until the company was acquired by Symantec in 2002.
He served as an officer in the United States Air Force in the Department of Defense's Computer Emergency Response
Team.

Visual Forensic Analysis and Reverse Engineering of Binary Data

Greg Conti, Erik Dean

Track: Forensics & Anti Forensics

For decades hex was the common tongue of reverse engineers and forensic
analysts, but we can do better. Hex editors are the Swiss Army knives of low
level analysis and have evolved significantly, but are now at a local maximum.
With the tiny textual window hex provides, it is difficult, if not impossible to
understand the big picture context and inner workings of binary objects - files,
file systems, process memory, and network traffic. While there are helpful
tools to analyze the special case of executable files, little work exists to
help address the general case of _all_ types of binary objects. This talk
presents visual approaches to improve the art and science of forensic analysis,
diffing, and reverse engineering, both in the context independent case where
little is known about the raw structure of the binary data and at the semantic
level where external knowledge can be used to inform analysis. Two open source
visual analysis tools, each with a different perspective on visual reverse
engineering and forensics, will be demonstrated and released, as well as a
comprehensive survey of security visualization systems. If you read hex, you
should attend this talk.

Greg Conti

Greg Conti is an Assistant Professor of Computer Science at the United States
Military Academy. His research includes security data visualization and
web-based information disclosure. He is the author of Security Data
Visualization (No Starch Press) and the forthcoming Googling Security
(Addison-Wesley). His work can be found at www.gregconti.com and
www.rumint.org.

Erik Dean

Erik Dean is a research programmer at the United States Military Academy and
a graduate of the Rochester Institute of Technology. His research includes
forensic analysis, information visualization, and construction of offensive
and defensive information warfare training systems and networks.

iRK - Crafting OS X Kernel Rootkits

Jesse D'Aguanno

Track: Rootkits Arms Race

Over the last few years, OS X has captured much attention in the security
industry. Techniques in shellcode development, exploits, etc. have been widely
publicized and spoken on, yet the subject of covertly maintaining access once
gained has not been adequately covered.

This talk will build on previous rootkit research, applying rootkit and
kernel subversion techniques from the Windows, Linux and BSD worlds to Apple's
OS X operating system as well as taking advantage of some of the unique features
of OS X. It will detail topics such as: Introducing code into the XNU kernel
(Basic KEXT development), Hooking, Direct Kernel Object Manipulation, Patching
Running Kernel Memory, etc. It will cover some of the pitfalls encountered while
developing rootkits for OS X and how to overcome them.

Finally, we will combine these techniques and demonstrate a useful PoC
rootkit which can form the foundation for your own real-world rootkit.

Jesse D'Aguanno

Jesse "x30n" D'Aguanno is a Security Researcher and Software Engineer who has
been involved in the security industry and "underground" for over 10 years. As a
software engineer he has contributed to numerous opensource and commercial
projects. As a researcher, he has written and published many papers and proof of
concept tools. His current research interests are primarily focused on binary
reverse engineering, anti-forensics, exploit development and network attack. He
is a frequent presenter at different industry conferences and events. By day he
works as the Director of Professional Services and Research for Praetorian
Global, a security services company in California. In his "spare" time, he is
the team captain for Digital Revelation, a security think tank most known as the
two time winners (And almost annual participants) of Defcon CTF.

Methods for Understanding Targeted Attacks with Office Documents

Bruce Dang

Track: App Sec 1.0 / 2.0

As more security features and anti-exploitation mechanisms are added to
modern operating systems, attackers are changing their targets to higher-level
applications. In the last few years, we have seen increasing targeted attacks
using malicious Office documents against both government and non-government
entities. These attacks are well publicized in the media; unfortunately, there
is not much public information on attack details or exploitation mechanisms
employed in the attacks themselves. This presentation aims to fill the gap by
offering:
(1) A brief overview of the Office file format.
(2) In-depth technical details and practical analytical techniques for
triaging and understanding these attacks.
(3) Defensive mechanisms to reduce the effectiveness of the attacks.
(4) Forensics evidence that can help trace the
attacks.
(5) [If we have time] Static detection mechanism for these
vulnerabilities (i.e., how to write virus signatures for these vulns).
(6) Techniques to help detect these attacks on the wire.
(7) A surprise. :)

Bruce Dang

I do vulnerability analysis in the Secure Windows Initiative (SWI) Group.

Jared DeMott

Track: App Sec 1.0 / 2.0

For many years hackers have been reversing code, scanning source, fuzzing
applications, and crafting lethal exploits. It’s time for security researchers,
consultants, testers, and administrators to freshen up their skills by walking
back through the computer science fundamentals of these techniques. This is a
Deep Knowledge lecture series intended to bring newbs up from the ground, and to
hone and challenge pros that have been at it for a while. Bring your Red Bull
as the prior Prof. DeMott walks through 6 lectures that he designed for his
security class.

Jared DeMott

Jared DeMott is a security researcher for Crucial Security, frequent speaker,
former teacher, and just this summer a first time author (fuzzing book with
Takanen and Miller). He has been deeply involved in the security community since
he started coming to BlackHat in 2000. Jared is probably best known for the
fuzzing tool, GPF, which he released in 2005.

Bad Sushi: Beating Phishers at Their Own Game

Nitesh Dhanjani, Senior Manager

Billy Rios, Microsoft

Track: Bots and Malware

This talk will expose the tools and tactics used in the phishing underground. What started as a simple examination
of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues
modern day financial institutions and their customers.

Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by
phishers, determine if these phishers are really the Einsteinian Ninja Hackers the media portrays them to be, uncover how
phishers phish other phishers, and discover the sites where real life identities are being bought and sold.

Nitesh Dhanjani is an actual reincarnation of Dawkins' Spaghetti Monster, Nitesh Dhanjani is also a rare type of Blowfish that is poisonous to phishermen across the world. Once netted, Dhanjani's poison quickly disables the phishermen and spreads to the their prized lines and lures. Currently, only two individuals, namely Chuck Norris and Bruce Schneier, are known to handle this toxic poison without fear of death.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Next Generation Collaborative Reversing with Ida Pro and CollabREate

Track: App Sec 1.0/ 2.0

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind.
Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which
quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated
collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace
with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed
to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it
facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component,
responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond
simple collaboration that are enabled via the collabREate architecture.

Chris Eagle
is the Associate Chairman of the Computer Science Department at the Naval Postgraduate
School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer
network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences
such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In
his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting looking challenges.

A New Breed of Rootkit: The System Management Mode (SMM) Rootkit

Track: Root Kit Arms Race

Virtualization rootkits have been a hot topic for the past couple of years. In this talk, we will discuss a
new type of malware with potentially even greater stealth: The System Management Mode (SMM) Rootkit. System
Management Mode, a relatively obsecure mode on Intel processors, provides an isolated memory and execution
environment. SMM code is invisible to the Operating System yet retains full access to host physical memory
and complete control over peripheral hardware. We will demo a proof of concept SMM rootkit that functions as
a chipset level keylogger. Our rootkit hides its memory footprint, makes no changes to the host Operating System,
and is capable of covertly exfiltrating sensitive data across the network while evading essentially all host based
intrusion detection systems and firewalls.

Shawn Embleton is the CTO of the Florida company, Clear Hat Consulting, Inc. Shawn
spoke at Black Hat in 2006 on the topic of using evolutionary computation for automated vulnerability
analysis and co-authored a prototype intelligent fuzz testing tool, named Sidewinder. During 2007,
Shawn co-taught the Black Hat Offensive Aspects of Rootkit Technology class with Sherri Sparks and
co-founded Clear Hat Consulting, Inc. Some of his current interests include hardware virtualization
and chipset level rootkit technology.

Sherri Sparks is President of the Florida company, Clear Hat Consulting, Inc. Currently, her research
interests include offensive / defensive stealth code technologies and digital forensics. She has spoken at Black Hat on these
topics and has taught the Black Hat Offensive Aspects of Rootkit Technology. Her published articles have appeared in Usenix
Login; ACSAC, Security Focus, and Phrack magazine. With an increasing involvement in providing consulting / training
services for independent clients, she co-founded the company Clear Hat Consulting, Inc. in early 2007. Clear Hat
Consulting specializes in Windows kernel and hypervisor development as it relates to stealth rootkit technology,
digital forensics, and other custom software security solutions.

Arian Evans

Track: App Sec 1.0 / 2.0

Learn how to breathe new life into your old web application zero-day syntax
attacks. Even learn how to alert(document.cookie) with new-found panache.

By properly encoding, double-encoding, and triple-encoding, or by utilizing
newer undocumented, transcoding-attacks, it is possible to bypass many common
web application security controls to successfully exploit the target parser.

Most importantly: These attacks are being used in the wild, right now, today.
Starting in February 2008 the first double-encoded, layer mass SQL Injection
attacks were discovered in the wild. As of May 1st they have compromised over
600,000 websites.

This presentation will discuss how these attacks work:
+ from creation
+ to exploit
+ to dependencies;
+ what software they target;

Finally we will demonstrate how to resolve these issues through modern
software design and coding practices.

Arian Evans

Arian Evans is the Director of Operations at WhiteHat Security, leading a
team of security engineers assessing over 600 production websites. Arian has
worked at the forefront of Web application security for more than 10 years. His
global projects include work with the Center for Internet Security, NIST, the
FBI, the Secret Service, and many commercial organizations on Web application
security and hacking incident-response. Arian consistently researches and
discloses new attack techniques and vulnerabilities in Web application software,
including commercial platforms like Cisco and Nokia. He designed the first
public Web application firewalls (WAFs) with transparent anti-CSRF and anti-XSS
protection:(Paraegis & Razorwire PoCs in 2004 and 2005). Previously, Arian built
and led the Application Security Practice at FishNet Security. Prior to FishNet
Security, Arian had extensive experience building, testing, and performing
forensics on ecommerce and financial services software. Arian is a frequent
speaker at industry conferences including Black Hat, OWASP, RSA, and WASC
events, and was also a contributing author for "Hacking Exposed:Web
Applications." Arian also likes combining mountains, mistresses, martinis, and
motorcycles. Especially race V-twins that go "braap".

Hacker Court 2008: Hack MyFace

Track: Reception, Day 1

This year's presentation will once again feature Simple Nomad as the
defendant, a "l33t" hacker who frequently posts to a blog run by a
journalist who investigates cases of identity theft and exposure of
personal information. On one particular thread, our defendant claimed
to have a zero-day exploit that could break through any social
networking site. He is challenged by an undercover Federal Agent,
going by the handle of "Mudge" to put up or shut up by demonstrating
the exploit on a social networking site owned by Mudge known as
"MyFace."

In actuality, the MyFace "site" is a honeynet Virtual Machine (VM)
that is on a VM server that hosts about a dozen honeynets for other
cases that Mudge is not involved in. Not only does Simple Nomad break
the security of the MyFace site, in a moment right out of the Matrix,
he breaks out of the VM and sees all the other VMs on the server.

This is not good for Mudge.

The other undercover operations have now been compromised. Simple
Nomad has downloaded a document that describes the case that each VM
is assigned to. The problem is, Mudge doesn't know who Simple Nomad is
in real life or how to reach him. Mudge's agency leans on the
journalist to get him to disclose the IP address of the defendant. Of
course, our noble journalist refuses (and promptly gets cited for
contempt of court). Unfortunately, for the defendant, there are other
ways to track down an online identity and the defendant is arrested
and charged with two counts: unauthorized transmission of a program
and unauthorized access to a computer.

Defense attorney, Jennifer Granick defends Nomad on the pure legal
grounds that (1) defendant was entrapped and (2) the access was
authorized because Mudge told the defendant to hack his machine.
Prosecutor argues (1) this is not entrapment and (2) access was not
authorized because defendant thought it was a hack of a legitimate
target and furthermore, when defendant left the virtual machine and
got into the other virtual servers, he accessed machines Agent Mudge
didn't have the intent or ability to authorize.

Both sides will argue their case on August 6, 2008 at the Palace 1
ballroom during the Gala Reception of Black Hat. Who will win? That's
for the audience to decide! So grab some food and drink from the Gala
and join us in the Palace 1 ballroom!

Carole Fennelly

Carole Fennelly is an information security professional with over 25 years of
hands-on experience in the computing technology field. Starting as a Unix System
Administrator in 1981, she was drawn into the developing information security
field as the commercial Internet grew. She is the author of numerous articles
for IT World, SunWorld and Information Security Magazine. A frequent speaker
at security conferences, such as the Black Hat Briefings, her technical
background includes in-depth security and administration knowledge of UNIX
operating systems. Ms. Fennelly is presently a Manager of Content and Documentation
with Tenable Network Security, creators of the Nessus vulnerability scanner.

Paul Ohm

Paul Ohm joined the faculty of the CU School of Law in Spring of 2006.
He specializes in the emerging field of computer crime law, as well as
criminal procedure, intellectual property, and information privacy.

Prior to joining CU he worked as an Honors Program trial attorney in the
Computer Crime and Intellectual Property Section of the U.S. Department
of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher
of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of
the U.S. District Court for the Central District of California. He
attended the UCLA School of Law where he served as Articles Editor of
the UCLA Law Review and received the Benjamin Aaron and Judge Jerry
Pacht prizes. Prior to law school, he worked for several years as a
computer programmer and network systems administrator, and before that
he earned undergraduate degrees in computer science and electrical
engineering.

Richard Salgado

Richard P. Salgado is a Senior Legal Director with Yahoo! Inc., where
he focuses on international privacy, security and law enforcement compliance
matters. Prior to joining Yahoo!, Mr. Salgado served as Senior Counsel in
the Computer Crime and Intellectual Property Section of the United States
Department of Justice. As a federal prosecutor, Mr. Salgado specialized in
investigating and prosecuting computer network cases, such as computer
hacking, illegal computer wiretaps, denial of service attacks, malicious
code and other technology-driven privacy crimes. Mr. Salgado also regularly
speaks on the legal and policy implications of searching and seizing computers
and electronic evidence, emerging surveillance technologies, digital evidence
and related criminal conduct. Mr. Salgado is a lecturer in law at Stanford
Law School, where he teaches a Computer Crime seminar; he previously served
as an adjunct law professor at Georgetown University Law Center and George
Mason Law School, and as a faculty member of the National Judicial College.
Mr. Salgado graduated magna cum laude from the University of New Mexico and
in 1989 received his J.D. from Yale Law School.

Kurt Opsahl

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier
Foundation focusing on civil liberties, free speech and privacy law. Before
joining EFF, Opsahl worked at Perkins Coie, where he represented technology
clients with respect to intellectual property, privacy, defamation, and
other online liability matters, including working on Kelly v. Arribasoft,
MGM v. Grokster and CoStar v. LoopNet. For his work responding to government
subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department
of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela
Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl
received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa
Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007,
Opsahl was named as one of the "Attorneys of the Year" by California Lawyer
magazine for his work on the O'Grady v. Superior Court appeal.

Jennifer Granick

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in
Law and Executive Director of the Center for Internet and Society (CIS). She teaches,
speaks and writes on the full spectrum of Internet law issues including computer
crime and security, national security, constitutional rights, and electronic
surveillance, areas in which her expertise is recognized nationally.

Granick continues to consult on computer crime cases and serves on the
Board of Directors of the Honeynet Project, which collects data on computer
intrusions for the purposes of developing defensive tools and practices. She
was selected by Information Security magazine in 2003 as one of 20 "Women of
Vision" in the computer security field. She earned her law degree from
University of California, Hastings College of the Law and her undergraduate
degree from the New College of the University of South Florida.

Richard Thieme

"Those seen dancing were thought insane by those who could not hear the music." - Frederick Nietzsche

Richard Thieme has been hearing the music for a long time. His track record includes hundreds of
articles, dozens of short stories, one book with four more coming, several thousand speeches, and –
in a former incarnation - hundreds of original sermons.

His sci-fi short story, “Silent Emergent, Doubly Dark” was chosen for /Subtle Edens/, an anthology
coming in November in London. With nearly 30 stories published in the past few years, he is looking to
bring out a collection (/More Than a Dream: Stories of Flesh and the Spirit/). His video interviews for
the Hexen project on art and technology are showing up on walls in European galleries. He is happily
contributing to the MUFON History Project documenting the response of the government to UFO phenomena
in the 1940s and 1950s. In short, he manages to stay busy.

Peiter Zatko

Mr. Peiter “Mudge” Zatko was a Senior Security Architect/Engineer at BBN from
1994 to 1998, and he rejoined BBN in 2004 as a Division Scientist focusing on
research and development activities in support of DARPA and Intelligence
Community projects and is now a Technical Director for for BBN's National
Intelligence Research and Applications division. He is an experienced and
nationally known researcher. After leaving BBN he served as the CEO and Chief
Scientist at LHI Technologies, was the Chief Scientist and Executive Vice
President for R&D at @Stake Inc., and was the Chief Scientist at Intrusic Inc.,
all companies involved with network and information security. He has also
served as on the advisory boards of several organizations, as an R&D
Subcommittee Member to the Partnership for Critical Infrastructure Protection,
and as a Research Subcommittee Member to the Office of Science and Technology.
Mr. Zatko has testified to the United States Senate Committee on Government
Affairs as a subject matter expert in regards to Government systems, and to the
House and Senate Joint Judiciary Oversight Committee as a subject matter expert
on legislation regarding cyber crime. He has also been an invited special guest
contributor to projects and papers for the INFOSEC Research Council. He has
published papers in ACM and CORE/CQRE refereed journals, and his architecture
security analysis paper was published in the Usenix Security refereed journal.
He has taught offensive cyber ware-fare techniques and tactics course at the Air
Force Information Warfare Center, lectured on opposing forces threats and
capabilities at the Army War College, lectured on future vulnerability areas of
research at the Navy Post-Graduate College and at the National Security Agency,
gave a lecture series as a at Georgetown University, was a Visiting Scientist at
Carnegie Melon University, and conducted training courses for the I4/C4 groups
at NSA. Mr. Zatko is the inventor of L0phtCrack, an industry standard Microsoft
password auditing tool, of AntiSniff, the world’s first remote promiscuous
system detector that was used across primary DoD entities, of Tempwatch, now a
distributed component of Linux and BSD distributions, and of SLINT, a pioneering
tool in automating source code analysis to discover security coding problems.
Mr. Zatko was recognized by the National Security Council, Executive Office of
the President, as a vital contributor to the success of the President’s
Scholarship for Service Program. He was also recognized as contributing to the
CIA’s critical national security mission. He is an honorary plank owner of the
USS McCampbell (DDG-85).

Brian Martin

Brian Martin is an outspoken Nessus Subject Matter Expert with Tenable
Network Security. With over ten years of professional
security assessment experience, he has had the opportunity to provide
cynical review of network and physical security for all types of
business, government agency and military facility. With that
experience, he now helps to develop and guide the Nessus vulnerability
scanner and other Tenable products. Martin's training and articles
have given people an accurate and honest picture of the
dismal state of Information Security across all industries. In his
spare time, he is the content manager for the Open Source
Vulnerability Database and a champion of small misunderstood creatures.

Jonathan Klein

Jon has been a software developer in the Unix/C environment for over
20 years. During that time, he has developed custom security software
for several large financial institutions and held key roles in
numerous application deployments. Facing the choice of a management
career that would remove him from hands-on technical work, Jon chose
consulting as a method of achieving both. Jon has participated in
forensic investigations on behalf of the Federal Defender's Office in
Manhattan and with private attorneys, discovering there is more to
being a technical witness than purely technical knowledge.

Simple Nomad

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job.
He speaks on security and privacy topics at conferences around the globe, as well as entertaining
the press via interviews in television, print, and online mediums. In addition to being one of
the most attractive hackers on the planet, he did not write his own bio. Really. Seriously.
Ok...fine, I did. So sue me.

Caitlin Klein

Caitlin is a student with interests in gaming, computers, horse riding, dance, more gaming and lots of coffee…

Ryan Bulat

Ryan Bulat used to major in Computer Science until he decided that he much preferred writing…or psychology….or law….

Passive and Active Leakage of Secret Data from Non Networked Computer

Eric Filiol

Track:

This talk addresses the issue of stealing data from computer or systems that
are never or quite never connected to any network, due to their critical status.
The security target assumes that the attacker may have a very limited direct
(physical access) or indirect access (through any innocent user) to the
computer, for a very small amount of time and at the initial part of his attack.
His problem is to collect data from the computer he manages to compromise
(active attack) or which has been identified as containing some exploitable
weakness, but without using any network connection (including wireless -- WiFi,
Bluetooth... -- communication protocols).

In this talk we are going to recall the very few open existing techniques and
then present some new approaches that we design in our lab, based on
mathematical signal treatment. A demo will be made with respect to our new
technique.

Eric Filiol

Eric is the Head Scientist Officer of the Operational Cryptology and
Operational Computer Virology Lab at the French Army Signals Academy in Rennes
and at the ESIEA Engineer Academy in Laval, France. He holds a PhD in Applied
Mathematics and Computer Science, a Habilitation Thesis in computer science, as
well as, an engineer diploma in cryptology. My main research interests are
operational cryptanalysis of symmetric cryptosystems, and malware
modelization.

Threats to the 2008 Presidential Election (and more)

Track: App Sec 1.0 / 2.0

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections
will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however
our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively
communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of
misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving
the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when
applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting
of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on
Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet
domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of phishing on an election.

Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation
that may present itself using any of these vectors. These set of risks cross technical, social, and psychological
boundaries. While traditional forms of malicious code certainly play an important role, social engineering and
deception provide equal potential and have a more ominous psychological impact on voters who are exercising
their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as
discussion on how current threats may be customized. In order to determine the impact of typo squatting
and domain name speculation for example, we performed an analysis of 2008 presidential election candidate
web sites and discovered numerous examples of abuse.

Oliver Friedrichs is the Director of Emerging Technologies in Symantec Security Response, the organization responsible for the delivery of AntiVirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry’s first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing. Mr. Friedrichs has over 15 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.

Taking the Hype Out of Hypervisors

Tal Garfinkel

Track: Virtualization

The adoption of virtual machine technology is one of the most dramatic
changes to enterprise computing in the last decade, unsurprisingly these changes have
substantial implications for system security. Unfortunately, much of the
current debate around virtual machine security focuses on issues that are
either intractable, such as the probability of virtual machine escapes
failures, trivial, such as discrepancies between current virtual and real
network gear, or red herrings, such as virtual machine based rootkits.

This talk offers an antidote for the current state of affairs. To begin, I
help
put these previous points of debate into perspective. Next, I move on to
explore more fundamental changes brought on by the move to virtualization
such
as rapid scaling and increased diversity, increased mobility, loss of
machine
identity and problems of accountability, discrepancies between real and
virtual
time, and how these changes have created new operational challenges as
well as
posing difficulties for existing security architectures. Finally, I
discuss
what virtual infrastructure vendors and security technology developers
need to
do to cope with these challenges.

Tal Garfinkel

Tal Garfinkel has been working on system security research for the past 10
years. His work has appeared in many of the worlds top academic conferences,
and has seen commercial adoption by VMware and others. Offensive
techniques developed in his work have been used to break practical systems such
as Systrace and Bitlocker. Tal is a recognized authority on virtual machine
security, and in addition to his own work, has served on numerous program
committee's and panels, as well as being a founder of the Usenix Workshop on
Offensive Technology (WOOT). Tal has consulted for VMware on and off since
2003,and is currently employed as a researcher in VMware's Advanced
Development group. He is also working on completing a PhD at Stanford
University, where his thesis focuses on novel applications of virtual machines
based technology to security. He holds a bachelors degree with honors from the
University of California at Berkeley.

Side-channel Timing Attacks on MSP430 Microcontroller Firmware

Travis Goodspeed

Track: Hardware

The Texas Instruments MSP430 low-power microcontroller is used in many
medical, industrial, and consumer devices. It may be programmed by JTAG,
Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled
by setting a value in flash memory. When enabled, the BSL is protected by a
32-byte password. If these access controls are circumvented, a device's
firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail
the results of an effort to reverse engineer the BSL code. Once the BSL's
function has been covered, a timing attack will be discussed which might be used
to guess the password without brute force under certain conditions.

Travis Goodspeed

Travis Goodspeed works at the Extreme Measurement Communications Center of
the DOE Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas
Instruments Developer Conference regarding stack overflow exploits for
MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are
possible, his present research is aimed at porting defense techniques, such as
ASLR and code-auditing, to this platform.

Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"

Jeremiah Grossman, Arian Evans

Track: Web 2.0

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some
serious cash on the Web silently and surreptitiously, you don’t need them. You
also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level
reverse engineering skills -- all you need is a Web browser, a clue on what to
look for, and a few black hat tricks. Generating affiliate advertising revenue
from the Website traffic of others, trade stock using corporation information
passively gleaned, inhibit the online purchase of sought after items creating
artificial scarcity, and so much more. Activities not technically illegal, only
violating terms of service.

You may have heard these referred to as business logic flaws, but that name
really doesn’t do them justice. It sounds so academic and benign in that context
when the truth is anything but. These are not the same ol’ Web hacker attack
techniques everyone is familiar with, but the one staring you in the face and
missed because gaming a system and making money this way couldn’t be that
simple. Plus IDS can’t detect them and Web application firewalls can’t black
them. If fact, these types of attacks are so hard to detect (if anyone is
actually trying) we aren’t even sure how widespread their use actually is. Time
to pull back the cover and expose what’s possible.

Jeremiah Grossman

Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a
world-renowned expert in Web security, co-founder of the Web Application
Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman
is a frequent speaker at major industry events around the globe, a Black Hat
veteran, and has been invited to present at a number of large universities. He
has authored dozens of articles and white papers; is credited with the discovery
of many cutting-edge attack and defensive techniques; and is a co-author of XSS
Attacks. Mr. Grossman is frequently quoted in major media publications such as
InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet,
SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information
security officer at Yahoo!

Arian Evans

Hacking and Injecting Federal Trojans.

Lukas Grunwald

Track: Forensics & Anti Forensics

Remote Forensic Software or "offensive security" is the new trend in law
enforcement and the fight against terrorism.

The topic is known in Germany as "Federal Trojan". This talk will give
an introduction to the needs and problems with classic lawful
interception and new remote methods.
The problem of poisoning of evidence after a "Trojan" attack from law
enforcement, as well as new attack vectors for bad guys are discussed.

This talk will give a demonstration of an "infection proxy" which shows
how to inject malware on the fly
while downloading some software, how to bypass commercial security
solutions like virii-scanner and anti-malware tools, and how effective
Trojan attacks could be if your ISP is helping law enforcement.
Methods for anti-remote-forensics are handled as well. Methods of
detection of
infection proxies and other lawful interception methods are shown.

Lukas Grunwald

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH
(Hildesheim/Germany) a globally acting consulting firm working mainly in the
field of security solutions for enterprises and federal governments in Europe
and Asia. He is also the head of the Hacking Lab where new technology is
evaluated. Mr. Grunwald has been working in the field of IT security for nearly
15 years now. He is specializing in security of wireless and wired data and
communication networks, forensic analysis, audits and active networking. Mr.
Grunwald regularly publishes articles, talks and press releases for specialist
publications. He also participates actively at several conferences all over the
world. Mr. Grunwald is co-author of RFDump an RFID attack and audit tool, that
is free software and got some attention for the first time clone and attack the
ePassport live at BlackHat.

Decompilers and Beyond

Ilfak Guilfanov

Track:

Disassemblers are routinely used for reverse engineering but their inherent
limitations make them ineffective for modern large applications. In order to
cope with the volume and complexity, we have to switch to the next level of
binary code analysis: decompilation.

In this presentation we will discuss the process of decompiler construction,
the encountered problems and solutions. Our slides will show the decompilation
process step by step.

Decompilers open the way to new tools and analysis methods - we will also
briefly have a discussion on them.

Ilfak Guilfanov

Mr. Guilfanov, the founder and CEO of Hex-Rays SA, holds BSc in Mathematics
from Moscow State University. He is the senior architect of several highly
regarded software packages including the widely used IDA Pro, a multi-platform,
multi-processor, disassembler and debugger. Mr. Guilfanov is also known for
having released, on 31 Dec 2005, a highly publicized unofficial fix for the
Windows Metafile (WMF) vulnerability in Microsoft Windows operating system.

Got Citrix, Hack It!

Shanit Gupta

Track: Turbo Talks

Citrix is a widely used remote desktop application utilized in many major
corporations around the world. In addition to offering the typical benefits of
RDP and Microsoft terminal services, it is capable of sandboxing and restricting
the applications that can be executed by the user. Unfortunately, often times
the Citrix environment can introduce a false sense of security within
organizations. There are several ways to circumvent security controls within the
Citrix framework and many system administrators are not aware of these attacks.
During this presentation, we’ll demonstrate ways in which to compromise the
Citrix environment using multiple attack vectors. Then we’ll show you the
corresponding remediation strategies.

Shanit Gupta

Shanit is a Senior Security Consultant at Foundstone. Shanit is responsible
for creating and delivering the threat modeling, code review, and application
security service lines. Shanit is also responsible for the design, development,
and release of the free tools by Foundstone. Shanit has strong computer science
fundamentals and software development experience on UNIX and Windows. Prior to
joining Foundstone, Shanit was involved in developing real-time operating
systems and a survivable prototype of the Kerberos authentication service at
Carnegie Mellon. Shanit also worked at Alcoa, Inc., as a software developer,
building critical internal applications. Shanit has diverse experience in a
number of areas of software development and security. In the last 4 years at
Foundstone, Shanit has reviewed custom operating system kernels, device drivers,
virtualization environments, and large complex trading infrastructures.

Attacking the Vista Heap

Ben Hawkes

Track: 0-Day

This presentation explores the cutting edge of heap exploitation theory and
practice on Windows Vista. The focus is on finding previously unknown attack
vectors resulting from memory corruption on the heap. These include techniques
for controlling execution flow by attacking only the heap implementation and not
the application itself, and techniques for attacking the application in
conjunction with the heap. Additionally, several design changes to further
improve the security of the Vista heap will be suggested.

The heap is the userland component in charge of dynamic memory management. It
is present and used to some extent in every Windows Vista process. Memory
corruption on the heap (heap overflow) is common, seen in nearly every
application and making up a large portion of reported vulnerabilities. With
Windows Vista, Microsoft introduced several security features to the heap,
effectively hardening it from classic heap overflow exploit techniques.

Ben Hawkes

Ben Hawkes is an independent researcher from New Zealand specializing in
computer security and cryptanalysis. He is studying mathematics and computer
science at Victoria University of Wellington, New Zealand.

The Four Horsemen of the Virtualization Security Apocalypse

Christofer Hoff

Track: Virtualization

Despite shiny new stickers on the boxes of our favorite security vendors'
products that advertise "virtualization ready!" or the hordes of new startups
emerging from stealth decrying the second coming of security, there exists the
gritty failed reality of attempting to replicate complex network and security
topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our
approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing
security; from virtualization-enabled chipsets to the hypervisor to the VM's,
we'll explore the real issues that exist today as well as those that are coming
that aren't being discussed or planned for.

Christofer Hoff

Chris Hoff is currently Unisys' Chief Security Architect. Hoff has over 15
years of experience in high-profile global roles in network and information
security architecture, engineering, operations and management. Prior to
Unisys, he served as Crossbeam Systems' chief security strategist, was the
CISO for a $25 billion financial services company and was founder/CTO of a
national security consultancy. Hoff obviously also enjoys referencing
himself in the third person.

Circumventing Automated JavaScript Analysis Tools

Billy Hoffman

Track:

JavaScript is fast becoming the vehicle of choice for malware authors. Over
the last 3 years we’ve seen how attackers can use vanilla JavaScript to create
powerful payloads such as intranet port scanning and hijacking, information
theft, and even full web security assessments and SQL injection attacks. Even
traditional browser or operating system attacks are being delivered to victims
through the browser encased inside a JavaScript packed IFrame. Obfuscated
JavaScript payloads are the norm thanks to malware frameworks like MPACK. With
so many security threats being launched through JavaScript it is crucial to
explore the capabilities of the tools researchers have to analyze malicious
JavaScript as well as countermeasures that can be taken against them.

In this presentation we will explore the tit-for-tat battle between malicious
JavaScript authors and security researchers. We will look at the current tricks
and techniques used to protect malicious JavaScript from analysis, such as
dynamic encoding (JS/Wonka), deliberate tool breaks (, etc), unmodifiable
functions, and network nonce. We will how see how researcher tools such as
CaffineMoney and Decrypt JS attempt to defeat these current tricks and analyze
basic obfuscated JavaScript.

Next we explore multiple new techniques to circumvent the current generation
of automated analysis tools by detecting their presence from inside malicious
JavaScript. (JSPill? hmmmm) These methods include HTTP/browser fingerprinting,
DOM testing and encrypting, Doman and Network testing, Execution environment
testing, and cross plugin communication testing. We will demonstrate malicious
JavaScript detecting analysis tools using these methods and refusing to give up
its secrets until its running in the web browser of choice. We’ll demonstrate
encrypting JavaScript to only run in particular browsers or environments. We’ll
also demonstrate a couple other tricks, such as encoding malicious JavaScript as
nothing but white space, and function clobbering for fun and profit.

Finally we discuss countermeasures to the countermeasures, and offer feature
ideas and advice for researchers developing the 3rd generation of automated
JavaScript analysis tools.

Billy Hoffman

Billy Hoffman is the manger for HP Security Labs of HP Software where he
leads research focused on JavaScript source code analysis, automated discovery
of Web application vulnerabilities, and web crawling technologies. His work has
been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other
journals and Web sites. Billy is regular presenter at hacker conferences
including Toorcon, Shmoocon, Phreaknic, Summercon, and Outerz0ne and is active
in the South East hacking scene. Occasionally the suits make him takes off the
black t-shirt and he speaks at more mainstream security events including as RSA,
Infosec, AJAXWorld, and Black Hat. Billy is also the author of the book Ajax
Security published by Addison Wesley in December 2007.

Protecting Vulnerable Applications with IIS7

Brian Holyfield

Track: Turbo Talks

With the advent of IIS7 and its modular design, Microsoft has provided the
ability to easily integrate custom ASP.NET HttpModules into the IIS7
request-handling pipeline. This session will present an IIS7 module designed to
leverage this architecture to actively and dynamically protect web applications
from attack. With minimal configuration, the module can be used to protect
virtually any application running on the web server, including non-ASP.NET
applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the
module, including a detailed explanation of available features and attack
defense techniques. The session will focus on live demonstrations of how the
module can easily be installed to protect already-deployed applications and how
it can block both traditional web application attacks, such as SQL injection and
Cross-Site Scripting, and application-specific vulnerabilities like parameter
manipulation and authorization attacks.

Following this presentation, the module will be available for free
download and use.

Brian Holyfield

Brian Holyfield is a founding member of Gotham Digital Science. He has
worked in the realm of information security for over 9 years, and has extensive
security testing and consulting experience. Brian was also a contributing
author for “Network Security Tools” (O'Reilly, 2005), where he outlined how to
build an automated vulnerability detection and exploit scanner for web-based
applications.

This presentation and accompanying paper quantifies the impact of polymorphic
and metamorphic threats on the digital investigator and explores non-traditional
approaches to investigation. The paper provides a DNA Taxonomy approach for
examining and discovering characteristics (live and postmortem) exhibited by
these advanced threats.

Chet Hosmer

Virtually Secure

Oded Horovitz

Track: Virtualization

Virtualization is a disruptive technology in the data-center which opens the
path for new solutions for old problems.

Specifically, virtualization allows the isolation of a particular workload
(an application within a VM) from the underlining hardware, and enables the
creation of software services which can run independent of the original
workload.

The presentation will focus on the capabilities of the security application
as services of the hypervior. How these new services compare with existing
security agents which run inside virtual machines, and what is the possible
future of workload security in a virtual data-center.

Oded Horovitz

I am currently part of VMware engineering organization as an architect for
the VMsafe program. Being fascinated with building defense system for the past
10 years, I have been enjoying the opportunity to unleash the possibilities of
hypervisor based defense capabilities. Previously to VMware, I have been working
as an architect for Entercept now known as McAfee HIPS following
Entercepts'acquisition back in early 2005. Having the opportunity of being part
of the pioneering group for host-based-intrusion-prevention systems, I was lucky
enough to learn anything there is to learn about vulnerabilities, and
exploitations (yes, I'm referring mostly to the good old old-school overflow
attacks and such, with all due respect to the XSS generation) and have shared
some of my findings with the security community. My most popular publication was
the work done with Matt Conover about the possibilities of reliable exploitation
of windows heap overflows.

Pointers and Handles, A Story Of Unchecked Assumptions In The Windows Kernel

Alex Ionescu

Track: 0-Day

This presentation will discuss several vulnerabilities in Win32k.sys, the
Windows NT kernel-mode library responsible for the Windows GUI Subsystem,
ranging from privileged-path denial-of-service attacks due to bad assumptions
regarding the validity of pointers before they are dereferenced, to the more
dangerous unprivileged attacks, which leave any Windows NT-based operating
system vulnerable to a local denial-of-service attack from a user with logon
privileges (including a guest account).

First, a couple of unchecked pointer dereferences will be exposed, caused by
a typical programming bug of assuming the occurrence of a certain initialization
stage, which actually may not have actually occurred (either by design, or due
to timing). These kinds of bugs are amplified when the code makes assumptions
due to the undocumented nature of the interface, and uses this assumption in
lieu of pointer validation.

The second programming error that will be exposed is a combination of
incorrect trust of user-mode accessible handles, especially non-privileged
access, and incorrect usage of Nt versus Zw APIs when dealing with user-mode
data. The kernel mechanism of “protect from close”handles will be explained, as
well as to how it can be used to attack Win32k.sys

This second part will be the most focused part of the presentation, since it
is a pretty new kind of vulnerability that has been overlooked until now, mostly
because it typically only allows DoS or information leaks -- in today's Terminal
Services/Multi-User world however, it simply cannot continue to be ignored.

Alex Ionescu

Alex Ionescu's experience in OS design and kernel coding dates back to
his early adolescence, when he first played with John Fine's
educational OS, Kernel, and Boot Loader code. Since then, he has been
active in the area of NT kernel development, offering help and advice
for driver developers, as well as in the NT reverse engineering and
security field, where he has published a number of articles and source
code, such as documentation for the Linux NTFS project, extensive
papers on the Visual Basic Metadata and Pseudo-code format, and NTFS
Structures and Data Streams. During the last 3 years, he had been
working on the ReactOS project as the lead kernel developer, and
responsible for writing most of its Windows Server 2003-based kernel.
In the past year, he has been contracted to be the principal writer of
the updated content in the 5th Edition of the Windows Internals book
series, and he is also an instructor for David Solomon Expert
Seminars, a well-known seminar company owned by David Solomon,
co-author of the Windows Internals books. Alex speaks at technical
conferences including Recon 2006 where he gave a talk about a new NT
Kernel exploit that allowed a user to access kernel memory from
user-mode and BlackHat 2008, where he will be presenting four new
Windows kernel exploits. In his spare time, he publishes tools and
articles on his blog, www.alex-ionescu.com.

Black Ops 2008 -- Its The End Of The Cache As We Know It

Dan Kaminsky

Track: The Network

DNS is at the heart of every network -- when a web site is browsed to, it says where
the site is, and when an email is sent, DNS says where to. The answer is usually
correct -- but not always. Six months ago, it became clear that there was an ancient
design flaw, present in the original 1983 specification for DNS, that would allow any
attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced,
culminating in a simultaneous release date of patches for virtually all platforms.
We will talk about the issue, and about how a partnership between industry competitors
and researchers helped protect all our customers.

Dan Kaminsky

Dan Kaminsky is a long time speaker at the Black Hat Briefings, delivering now his ninth talk.
Dan has spent his entire career with Fortune 500 companies, having spent two years at Cisco,
another two at Avaya, and most recently consulting at Microsoft. His research focuses on design
characteristics of complex systems -- making old systems do new things, and lately, breaking new
things in old ways. The Director of Penetration Testing for IOActive, Dan is based in Seattle.

Vista and ActiveX Controls

Su Yong Kim

Track: Turbo Talks

This presentation, will address the differences in ActiveX control
vulnerabilities between Vista and XP. Internet Explorer is more secure on Vista
due to UAC (User Account Control) and protected mode. However, ActiveX control
vulnerabilities on Vista have nearly the same effect as those on XP. The reason
for this is that ActiveX controls for Vista have been developed with a focus on
compatibility, not security only. Vista needs additional techniques to
successfully exploit File/Registry writing vulnerability, process execution
vulnerability, and buffer overflow vulnerability. In this presentation, these
techniques will be addressed in detail.

There is a common mistake that developers are liable to make with Vista.
Developers sometimes install program files in low integrity folders, because
they wish to update them silently. However, program files with low integrity can
be overwritten easily by malicious users. I developed a tool to identify this
problem.

There are two ways developers elevate privilege of ActiveX control - explicit
or implicit. Implicit privilege elevation is more dangerous, because it does not
require a user agreement. Implicit privilege elevation does not elevate the
privilege of ActiveX control itself but uses another higher-privileged surrogate
process. If privilege-elevated ActiveX controls have a critical vulnerability,
malicious users can obtain higher privilege by exploiting this vulnerability.
Therefore, the developer should not overuse implicit privilege elevation when
writing a secure ActiveX control. Analyzers should take implicit privilege
elevation of ActiveX control into consideration when they inspect ActiveX
controls on Vista.

Su Yong Kim

Su Yong Kim is a senior member of the engineering staff in the attached
institute of ETRI. His research focuses on finding vulnerabilities in software,
especially ActiveX control. He developed YMFAC to manually inspect ActiveX
control. He presented his paper about ActiveX control security at the CanSecWest
2007 conference.

New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices

Tadayoshi Kohno, Kevin Fu

Track:

Medical devices are becoming more sophisticated and wireless. We recently
published an academic paper titled "Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and Zero-Power Defenses." In this paper
we describe experiments with a real, common implantable defibrillator and show
that risks are real, albeit small today. Using our own equipment, we are able
to extract private information stored on the implantable defibrillator, change
its settings, and even make it issue an electric shock. (We stress the patients
should not be concerned about our current results, but that the community should
demand stronger security mechanisms in future devices.)

Previously one of us (KF) made international news by exposing vulnerabilities
in RFID credit cards, and the other of us (TK) was the first to publicly study
the security of the Diebold electronic voting machine (in 2003). We've now
turned our attention to implantable medical devices because we think that
security will become increasingly important in the near future. Second,
implantable medical device security is exactly the right tool to talk about how
security community will evolve -- it's no longer just about PCs and network
security -- small embedded systems are now life critical.

Come to this talk and learn about the directions of implantable medical
devices, the security and privacy risks that we have experimentally discovered,
and our predictions for the field. And, as a bonus, learn what drives the
academic security research community and why, collectively, we've dedicated our
time to studying e-voting, credit cards, and implantable medical devices, and
what we think the community might turn to next. And learn some principles that
will help your future systems -- whether embedded, or medical, or not -- be more
secure from the start.

Tadayoshi Kohno

Kohno is an Assistant Professor of Computer Science and Engineering at the
University of Washington. He worked as a cryptography and computer security
consultant with Bruce Schneier, back when Counterpane Systems had less than a
handful of full-time cryptographers and before the days of Counterpane Internet
Securities, Inc. Since then he's published security analyses of technologies as
varied as:electronic voting machines, implantable wireless defibrillators, file
encryption systems, popular consumer devices, and ISP ad injectors. Kohno has a
Ph.D. in Computer Science (cryptography) from the University of California at
San Diego.

Kevin Fu

Dr. Kevin Fu, PhD, is an assistant professor in the Department of Computer
Science at the University of Massachusetts Amherst. He serves as the principal
investigator of the RFID Consortium on Security and Privacy (RFID-CUSP.org) and
the co-director of the Medical Device Security Center (secure-medicine.org).
Dr. Fu investigates how to ensure security and privacy for devices that must
defend against malicious parties. His contributions include the security and
threat model analysis of several systems ranging from contactless "no swipe"
credit cards and wireless medical devices to access-controlled Web sites and
automated software updates. Dr. Fu's research has led to improvements in
security and privacy of pervasive devices, promoting the vision of safer and
more effective technology for consumers. Dr. Fu received his Ph.D. in
Electrical Engineering and Computer Science at the Massachusetts Institute of
Technology. He has served on numerous program committees of prestigious
conferences in computer security and cryptography, and has given dozens of
invited talks world-wide to industry, government, and academia on the topic of
security and privacy. His research has appeared in The New York Times and The
Wall Street Journal.

Jinx - Malware 2.0

Itzik Kotler, Jonathan Rom

Track: Bots & Malware

Browsers nowadays are competing with operating systems as the next
application development platform. The rapid development of Web 2.0 keeps pushing
browser developers into implementing advanced features that allow the creation
of interactive multimedia applications. This sets the grounds for a new fertile
environment in which a new breed of malware can come to life. Malware that is OS
and architecture independent, as covert as a cutting edge rootkit but at the
same time implemented through a series of API's and a generous variety of
high-level OOP languages simplifying the task.

Itzik Kotler

Itzik Kotler is Radware's Security Operation Center Team's Leader. He manages
a team of researchers that follows him into exciting adventures in the dark
world of networking, where every standard and rule can be bent and
vulnerabilities are lurking on every bit and byte. Radware SOC is a
vulnerability research center that develops updated signatures and new
techniques to defend known and undisclosed application vulnerabilities. Prior to
joining Radware, Itzik held a number of security research positions and served
in an Elite Intelligence unit in the Israeli Defense Force (IDF).

Jonathan Rom

Jonathan Rom is currently a Security Researcher at Radware, Inc. where he
focuses on protocol analyzing and anomalies. Jonathan has worked as a
UNIX/Security counselor for both government and private sectors and has over 10
years of experience. He has a bachelor degree in computer science from the
Interdisciplinary Center in Herzelia.

Mobile Phone Messaging Anti-Forensics

Zane Lackey, Senior Security Consultant, iSEC Partners

Luis Miras, Independent Security Researcher

Track: Forensics

With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia
messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile
phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various
attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection.
Additionally, during this talk we will release and demonstrate a tool for sending and receiving covert SMS
messages. Finally, we will release SMS fuzzing tools to allow vendors and users of mobile phone forensics
software to test the reliability of the tools they rely upon.

Zane Lackey is a Senior Security Consultant with iSEC Partners—a strategic digital
security organization. Zane regularly performs application penetration testing and code reviews for iSEC.
His research focus includes AJAX web applications, VoIP, and mobile phone security. Zane has spoken at
top security conferences including BlackHat, Toorcon, MEITSEC, and the iSEC Open Forum. Additionally, he
is a co-author of "Hacking Exposed: Web 2.0" (McGraw-Hill/December 2007) and contributing author
of "Hacking VoIP" (No Starch Press/Fall 2008). Prior to iSEC, Zane focused on Honeynet research
at the University of California, Davis Computer Security Research Lab under noted security researcher Dr.
Matt Bishop.

Luis Miras is an independent security researcher. He has worked for both security product vendors and leading consulting firms. His interests include vulnerability research, binary analysis, and hardware/software reverse engineering. In the past he has worked in digital design, and embedded programming. He has presented at CanSecWest, Black Hat, CCC Congress, XCon, REcon, Defcon, and other conferences world-wide. Recently Luis co-authored "Reverse Engineering Code with IDA Pro" (Syngress/2008). When he isn't head down in IDA or a circuit board, you will likely find him boarding down some sweet powder.

Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation

Eric Laspe

Track: Turbo Talks

The Deobfuscator is an IDA Pro plug-in that neutralizes anti-disassembly code
and transforms obfuscated code to simplified code in the actual binary. This
plug-in uses emulation techniques to remove obfuscated code and replace it with
a simplified, transformed equivalent. It can be used alone to modify an IDA Pro
database for static analysis, or in conjunction with a binary injector to ease
dynamic analysis.

We developed this tool in assessing strengths of protections and malware
analysis for DoD government entities and commercial companies. Since its
inception, the Deobfuscator has proven to reduce analysis tasks that previously
took days into ones that take mere minutes.

Eric Laspe

Eric Laspe has worked at Riverside Research Institute for two years. Since
joining their Red Team in 2006, he has broken software protections for commercial
entities, reverse engineered malware, and worked with the Team developing a variety
of innovative RE tools. Eric has a B.S. in Computer Engineering from Wright
State University, and has co-authored IEEE papers on binary obfuscation removal and specialized debugging tools.

Highway to Hell: Hacking Toll Systems

Nate Lawson, Founder, Root Labs

Track: OTA

Toll payment systems, such as FasTrak and E-ZPass, promise quick travel and more revenue for the state. While privacy
issues with such systems have been discussed in general, little is known about their actual implementation and security.
We reverse-engineered the RFID internals and analyzed the protocol to find out just what's going on inside. We'll explain
the low-level details we found, problems, and possible ways to build a more safe and secure system

Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and
cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as
BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his
spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects

Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities

Andrew Lindell

Track: OTA

The Bluetooth protocol for close-range wireless communication has been a huge success.
It is a widely adopted standard and is used for a wide range of devices, from cellphones
to PDAs to laptops and more. Due to its ubiquity and importance, its security has become
a critical issue. In the new version 2.1 released in July 2007, a complete overhaul of
the pairing procedure was carried out with the express aim of making it more secure. In
this paper we show that the Bluetooth pairing protocol in passkey entry mode completely
leaks the password. In addition, we show that it is possible to pair with a device
that uses a fixed (but unknown) password, even when the password is random and reasonably
long. Our attacks demonstrate that passkey entry mode can only be used with a different
random password each time. Unfortunately this is not possible for devices that use a
fixed password (like many hands-free car kits). In addition, due to human behavior,
this is unlikely to be the case when the user enters the password into two devices
in order to pair them. Thus, devices who leave it to the user to enter a password
(instead of randomly generating it on one of the devices) will be vulnerable to attack.

Andrew Lindell

Andrew Lindell is the Chief Cryptographer at Aladdin Knowledge Systems and an
Assistant Professor at Bar-Ilan University in Israel. Andrew attained a Ph.D. at
the Weizmann Institute of Science in 2002 and spent two years at the IBM
T.J.Watson research lab as a Postdoctoral fellow in the cryptography research
group. Andrew has carried out extensive research in cryptography, and has
published more than 50 conference and journal publications, as well as an
undergraduate textbook on cryptography and a book detailing secure protocols.
Andrew has presented at numerous international conferences, workshops and
university seminars, and has served on program committees for top international
conferences in cryptography. In addition to Andrew's notable academic
experience, he joined Aladdin Knowledge Systems in 2004. In his position as
Chief Cryptographer, he has worked on the cryptographic and security issues that
arise in the design and construction of authentication schemes, smartcard
applications, software protection schemes and more. Offering a unique
combination of academic and industry experience, Andrew brings a fresh and
insightful perspective on many of the crucial security issues that arise
today.

Developments in Cisco IOS Forensics

Felix Lindner, Head of Recurity Labs

Track: Forensics

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems,
platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth
crash analysis or digital forensics is almost impossible on the most widely used routing platform.

This talk will show new developments in this sector and how a slightly adjusted network infrastructure configuration together
with new tools finally allows to separate crashed, attacked and backdoored routers from each other. We walk through the known
types of backdoors and shellcodes for IOS as well as their detection and the challenges in doing so.

Felix "FX" Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry,
eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of
computer sciences, telecommunications and software development. His background includes managing and participating
in a variety of projects with a special emphasis on security planning, implementation, operation and testing using
advanced methods in diverse technical environments. FX is well known in the computer security community and has
presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication
Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry.
Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified
Information Systems Security Professional.

Oracle Forensics by David Litchfield

Track: Forensics & Anti Forensics

Nathan McFeters, John Heasman, Rob Carter

Track: App Sec 1.0 / 2.0

The dangers of client-side threats such as XSS and CSRF are well understood
in the context of vulnerable web applications. Furthermore, the dangers of
malicious script as a vehicle for exploiting browsers flaws and reconnoitering
the Intranet have been discussed at length. Now what if XSS and CSRF could be
leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat
different: research was focused on exploiting the complex interactions between
components exposed by the browser. The security of the whole was defined as the
sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything
accessible via a protocol handler. These types of attack gave way to direct
browser flaws... after all, why carry out a multi-stage attack when you could
trigger straight code execution? Fast forward to 2008: browser flaws are not
going away in the foreseeable future but they are on the decline, and in a world
of stack cookies, non-executable stacks and ASLR they are becoming increasingly
hard to exploit. Which takes us back to the complexity issues. They never
went away. In fact the situation has gotten worse spurred by the development of
offline solutions such as Google Gears and Adobe AIR, the plethora of protocol
handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable
Black Hat presenters who have previously discussed client side exploitation from
browser to rootkit. This combined with a rapidly increasing corporate interest
in "outsourcing" applications to the browsers, this fast paced, entertaining,
and novel presentation answers the question: should we really be building next
generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and
vulnerability classes that have not been discussed anywhere else. You get all
of this from some legit, good looking security researchers, what more could you
ask for?

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced
Security Center (ASC) and is currently serving in a Security Evangelist role for
the ASC based out of Chicago, IL. Nathan has performed web application, deep
source code, Internet, Intranet, wireless, dial-up, and social engineering
engagements for several clients in the Fortune 500 during his career at Ernst &
Young and has spoken at a number of prestigious conferences, including Black
Hat, DEFCON, ToorCon, and Hack in the Box. Prior to taking the position with
Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at
Western Michigan University by doing consulting work for Solstice Network
Securities a company co-founded with Bryon Gloden of Arxan, focused on providing
high-quality consulting work for clients in the Western Michigan area. Nathan
has an undergraduate degree in Computer Science Theory and Analysis from Western
Michigan University and a Master of Science Degree in Computer Science with an
emphasis on Computer Security, also from Western Michigan University.

John Heasman

John Heasman is the VP of Research for the US arm of NGSSoftware, a
UK-based company with offices in Seattle. NGS carries out sophisticated
security assessments for the world's leading software vendors and financial
institutions. Heasman is a prolific security researcher having published
numerous advisories in enterprise level software including Microsoft Windows,
Exchange, Outlook, OpenOffice, PostgreSQL, Apple QuickTime, RealNetworks
RealPlayer and Sun Microsystem's Java. He has a strong interest in
database security and co-authored The Database Hacker's Handbook
(Wiley, 2005) and The Shellcoder's Handbook, 2nd Edition (Wiley, 2007).
He is a regular speaker at international security conferences and has
presented at Black Hat, Defcon, LayerOne, OWASP AppSec and the Computer
Enterprise Incident Conference on a variety of topics ranging from
firmware rootkit implementations to browser-based attacks. He maintains
a vulnerability research blog at http://heasman.blogspot.com.

Rob Carter

Rob Carter is a Security Advisor for Ernst & Young's Advanced Security
Center in Houston, TX. He has performed web application, internet,
intranet, social engineering and wireless penetration tests for EY's
Fortune 500 clients. Rob's primary area of interest is in web
application security research and tool development. He has an
undergraduate degree from Western Michigan University in Computer
Science.

Braving the Cold: New Methods for Preventing Cold Boot Attacks on Encryption Keys

Patrick McGregor

Track: 0-Day Defense

We can prevent Cold Boot attacks. We present a new set of software-driven
techniques for protecting cryptographic keys in various encryption systems.
These software techniques do not involve the use of any specialized hardware or
encryption chips. Instead, the techniques utilize specialized cryptographic
transformations, memory system and operating system operations, and certain
architectural features of general-purpose processors such as Pentiums. The
methods can defend against Cold Boot attacks on machines that have been shut
off, on machines in hibernate and sleep modes, and even on machines in screen
lock mode.

Patrick McGregor

CEO Patrick McGregor is a founder of BitArmor. Since 2003, he has led the
company's financing, operations, and technical initiatives. Dr. McGregor holds a
Ph.D. from Princeton University in computer engineering, an M.A. from Princeton
University in computer engineering, and both an M.S. and a B.S. from Carnegie
Mellon University in electrical and computer engineering. He is an expert in
computer security and computer architecture, and he has authored and presented
many research papers for refereed conference and journal publications. Dr.
McGregor has also filed for several pending patents involving cryptography and
security software. His experience includes technical positions at Hewlett
Packard Laboratories and several other software companies. A sought-after
speaker, Dr. McGregor has presented at numerous industry events, including the
RSA Conference in 2008, and has given guest lectures at his alma mater, Carnegie
Mellon. His security research has been cited in national publications including
The New York Times and was most recently referenced in the Princeton University
research report on Cold Boot Attacks.

Pushing the Camel through the Eye of a Needle

SensePost

Track: Web 2.0

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used
for a variety of attacks. This year we take those attacks further and show
how small footholds in a target network can be converted into portals we can
(and do) drive trucks through!
With some updated SensePost tools, and some brand new ones, we will
demonstrate how to convert your simple SQL Injection attacks (against well
hardened environments) into point and click (well, type and click) ownage,
how the framework management pages you never knew you had, can double as our
network proxies and why despite all of the hype around SQL Server 2005, we
still enjoy finding it behind vulnerable web applications.
The talk is fairly technical and expects that the attendees understand the
basics of Web Application and Web Browser based attacks. Attendees will
leave with new attack vectors, a couple of new tools and some thoughts on
future directions of these attacks.

Haroon Meer is the Technical Director of SensePost. He joined SensePost in
2001 and has not slept since his early childhood. He has co-authored several
technical books on Information Security and has spoken and trained at
conferences around the world. He has played in most aspects of IT Security
from development to deployment and currently gets his kicks from reverse
engineering, application assessments and similar forms of pain.

Marco Slaviero is a SensePost Associate and finds long bios amusing.

Meet the Feds 2008

Panel Discussion

Join some of the longest running cybercops in a reality session not made for
TV. Hang out on the front lines to learn about the most sophisticated attacks
happening so far this year. We don't expect to win an Emmy, but we might get a
Pwnie. This year we will have so many feds representing their federal agencies
that we will break it up into two separate panels an hour each:

Each of the agency reps make an opening statement regarding their agencies
role, then open it up to the audience for questions. Agencies that will have
representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA,
DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG,
Office of the Secretary of Defense, National Defense University.

Panel Discussion

Jim Christy - DC3

Mike Convertino - AFCC

Cynthia Cuddihy - RCMP

James Finch - FBI

Barry Grundy - NASA

David Helfen - NCIS

Bob Hopper - NW3C

Ray Kessenich - DCITA

Tim Kosiba - NSA

Mischel Kwon - USCERT

Rich Marshall - NSA

Marc Moreau - RCMP

Tom Pownall - RCMP

Ken Privette - USPS IG

Linn Wells - NDU

SA (Ret) Jim Christy

Supervisory Special Agent Jim Christy, is the Director of the Defense Cyber Crime Futures Exploration
Directorate, Defense Cyber Crime Center (DC3). FX is responsible for informing and educating members
of the other Department of Defense organizations, federal agencies, state and local law enforcement,
international partners, the private sector, and academic institutions on the mission and activities
of all DC3 programs. SA Christy is a retired Air Force Office of Special Investigations Computer Crime
Investigator. SA Christy was an AFOSI computer crime investigator for over 18 years.

From 17 Sep 01 – 1 Nov 03 SA Christy was the Director of Operations, Defense Computer
Forensics Lab, DC3. As the Dir of Ops for the DCFL he managed four sections with over 40 computer
forensic examiners that supported Major Crimes & Safety, Counterintelligence and Counterterrorism,
as well as Intrusions and Information Assurance cases for the Department of Defense.

From May 98 – Sep 01 Mr. Christy was assigned to the Defense-wide Information Assurance Program,
Assistant Secretary of Defense for Command, Control Communications and Intelligence (ASDC3I) as
the Law Enforcement & Counterintelligence Coordinator and Infrastructure Protection Liaison.

SA Christy served as the DoD Representative to the President’s Infrastructure Protection
Task Force (IPTF) from Sep 96 – May 98. The President signed Executive Order, 13010 on 15 Jul
96, creating IPTF to protect the Nation’s critical infrastructure from both physical and cyber attacks.

Prior to the IPTF, SA Christy was detailed to Senator Sam Nunn’s staff on the Senate, Permanent
Subcommittee on Investigations as a Congressional Fellow, Jan - Aug 96. Senator Nunn specifically
requested SA Christy’s assistance for the Subcommittee to prepare for hearings in May - Jul 1996,
on the vulnerability and the threat to National Information Infrastructure from cyberspace. SA
Christy authored the Subcommittee’s investigative report and testified twice before the Subcommittee.

From 1986-1998, SA Christy was the Director of Computer Crime Investigations, and Information Warfare
for AFOSI and established the first computer forensic lab which evolved to become the DoD Computer Forensic Lab.

In 1986, SA Christy obtained some notoriety as the original case agent in the “Hanover Hacker” case.
This case involved a group of German hackers who electronically penetrated DOD computer systems all over
the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s
Egg”, by Dr. Cliff Stoll. The Public Broadcast system has also produced a docu-drama on this case.

In a murder investigation in 1991, the suspect cut two floppy diskettes into 23 pieces with pinking shears.
No agency was able to recover any of the data until Jim and his deputy developed a technique for less then $150.
Mr. Christy was able to recover 85%-95% of the data from each piece of diskette. The suspect when confronted
with the evidence, confessed, pled guilty and was sentenced to life in prison. This case was profiled on
the “New Detectives” series on the Discovery Channel, 2 Jan 99.

Some of SA Christy’s notable firsts in Computer Crime Investigations:

1st civilian computer crime investigator in the U.S. Government

Colonel S. Michael Convertino II, AFCYBER

Colonel Convertino holds bachelors and masters degrees in computer engineering, information
systems management, and international security studies and has held numerous assignments supporting
intelligence collection and communications operations at both the National Security Agency and the
Central Intelligence Agency. He has served as a communications and information squadron commander
twice, once deployed to Bosnia in support of Predator intelligence drone operations and once
in-garrison leading hundreds of airmen in operating of over $300 million in signals
intelligence and mission-critical communications assets. He was assigned to the Joint
Staff where he overhauled joint data interchange requirements and standards to focus on
interoperable intelligence capabilities after 9/11. He has also served as a four-star generals
Aide, responsible for planning, coordination and execution of policy statements, public speeches
and congressional responses.

Special Agent Barry J. Grundy, NASA

Barry J. Grundy has worked as a Special Agent for the NASA Office of Inspector General (OIG), Computer Crimes Division
(CCD) for the past seven years. He currently serves as the Resident Agent in Charge of the Eastern Region of the NASA
OIG CCD, responsible for the supervision of criminal investigations related to cyber events at eight NASA Centers.
Before working for the NASA OIG, SA Grundy was employed as a Special Agent for the Ohio Attorney General’s Office,
Health Care Fraud Unit, where he was responsible for the computer seizure and forensic media analysis support for the
unit in addition to maintaining a normal health care fraud case load.

SA Grundy has acted as an instructor for a number of federal, state, and local law enforcement training courses,
including the Seized Computer Evidence Recovery Specialist (SCERS) course at the Federal Law Enforcement Training
Center (FLETC) in Glynco, Georgia, various courses at the Ohio Peace Officers Training Academy in London, Ohio and
at the National Specialist Law Enforcement Centre in Wyboston, England. He has also conducted presentations at the
Northeast Ohio United States Attorney’s Office Computer Crimes Conference, meetings of the High Technology Crime
Investigator’s Association, and the Department of Defense Cyber Crime Conference. SA Grundy has written the Law
Enforcement and Forensic Examiner’s Introduction to Linux, a Beginner’s Guide, a document distributed by many
computer forensic training organizations in the United States and overseas.

Prior to his law enforcement career, Grundy served for six years in the United States Marine Corps.
All of his active duty service was spent in Reconnaissance Battalions, eventually as a Recon Team Leader,
Scout/Sniper, and Combat Diver.

Bob Hopper, NW3C

Mr. Hopper is Manager of NW3C Computer Crime Section is responsible for all aspects of management within
the section including staff assigned throughout the country. Mr. Hopper retired with nearly thirty years
service with the Arizona Department of Public Safety and thirty-seven years in Law Enforcement. Mr. Hopper’s
Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime, Organized Crime
and Advanced Officer Training. Mr. Hopper developed and managed the Arizona Department of Public Safety
Regional Computer Forensic Lab. This computer forensic lab grew from a two-man unit in 1998 to one of
the most state of the art computer forensic labs in the country. The DPS computer forensic lab is housed
at the Arizona Counter Terror Information Center in Phoenix, Arizona ACTIC and continues to be a trendsetter
and looked to nationally as a model for the future of the discipline. During his police career, Mr. Hopper
developed entry level as well as advanced computer forensic training curriculum that was taught to police
officers from agencies throughout Arizona as well as police departments from around the nation.

Mr. Hopper has developed police training programs ranging from Police Search and Seizure for academy
as well as advanced officer training, Advanced Wiretap Procedures and Investigation, Police Master
Instructor curriculum, Undercover Operations Survival training, Narcotics Air Smuggling Training and
numerous other police training curriculum. Mr. Hopper has produced and directed police training videos
and the video unit he supervised received a number of national awards for their productions. Along with
more than 30 years of law enforcement experience, Mr. Hopper has more than 20 years of law enforcement
academic leadership and has been recognized by the Department of Justice Law Enforcement Coordinating
Committee, Arizona Attorney Generals Office, Arizona Counter Terror Information Center, and others for
his accomplishments in the field.

Mr. Hopper received his teaching credentials through the Arizona Community College board and has developed
classroom and web based computer forensic curriculum for Rio Salado Community College in Phoenix, Arizona and
taught law enforcement courses within the Arizona Community College system for over ten years.

Mr. Hopper is a member of the Scientific Working Group on Digital Evidence and participated in the
development of two NIJ publications in the area of digital evidence, Electronic Crime Scene Investigation:
A Guide for First Responders, and Forensic Examination of Digital Evidence: A Guide for Law Enforcement.

Raymond Kessenich, DC3/DCITA

Special Agent Raymond Kessenich is currently detailed to the Defense Cyber Crime Center in Linthicum, MD, as
the Director of the Defense Cyber Investigation Training Academy. Special Agent Kessenich is an employee of
the Naval Criminal Investigative Service and a 28 year law enforcement professional.

Mischel Kwon, DHS

Mischel Kwon, an IT professional with more than 26 years of experience, was named the Director of Operations
for the United States Computer Emergency Readiness Team (US-CERT) in June 2008. As the Director of Operations
for the US-CERT, Kwon is responsible for the operational mission of the US-CERT. US-CERT is responsible for
analyzing and reducing cyber threats and vulnerabilities in Federal networks, disseminating cyber threat warning
information, and coordinating incident response activities.

Kwon brings a unique blend of hands on experience, academic research and training, and a seasoned understanding
of how to build operational organizations from inception. Among her successes at the United States Department of
Justice (DOJ), where she was Deputy Director for IT Security Staff; she built and deployed the Justice Security
Operations Center (JSOC) to monitor and defend the DOJ network against cyber threats. In addition, she served
as the lead project manager for the Trusted Internet Connections (TIC) project at DOJ. The TIC project is a
jointly led project between OMB and DHS. This experience provides a unique perspective in her operational mission at DHS.

In addition to the operational role, Kwon lends her experience and drive for providing superior customer service to
DHS. Kwon is leading the effort to enhance the US-CERT’s ability to disseminate reasoned and actionable cyber security
information to key stakeholders, including: federal agencies, industry, the research community, and state and local governments.
In tandem with this effort, Mischel is in the process of building and enhancing US-CERT’s capability to better protect our
nation's Federal Internet infrastructure by coordinating actionable mitigation against and response to cyber attacks.

Ms. Kwon holds a Master of Science in Computer Science and a graduate certificate in Computer Security and Information
Assurance. In addition, she serves as an adjunct professor at George Washington University in Washington, DC, where Ms.
Kwon also runs the GW Cyber Defense Lab. Her interests branch out into cryptology, wireless networks, and antenna theory.

Richard H.L. Marshall, NSA

Mr. Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the
National Security Agency (NSA). NSA’s Legislative Affairs Office is the Agency’s point of contact for all NSA matters concerning
Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness,
consistency, and corporateness. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic
Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he has led the
effort to establish an International Consortium on Information Assurance.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D.
in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National
Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law
Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and
participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st
Century program at Georgetown University School of Law. Mr. Marshall is also an Honor Graduate of the USAF Squadron Office
School, the USAF Air Command and Staff College, the NDU Industrial College of the Armed Forces, the USAF Judge Advocate
General (JAG) School and the Army JAG School (both Basic and Advanced).

An avid reader, runner, biker, swimmer, snowboarder and horseman, Mr. Marshall resides in Columbia, MD. He also enjoys
theater and the arts and has appeared in a cameo role on stage at the Kennedy Center. Active in the American Bar Association,
he is a member of the ABA Standing Committee on Law and National Security.

Ken Privette, USPS

Ken works as the Special Agent in Charge of the Technical Investigations Division (TID) at the USPS Office of
Inspector General. TID consists of three programs including the Polygraph Program and two digital evidence programs –
Technical Operations Unit and the Computer Crimes Unit (CCU). The TID conducts computer crime investigations and
provides computer forensics support to a force of 600 agents who conduct fraud and internal crime investigations for
the U. S. Postal Service. Over the past two years, Ken’s team has doubled in size, now managing a forensic workload
of more than 1000 requests per year. Through a creative partnership with the Postal Service’s CIO, his team has
pioneered new digital forensics initiatives such as remotely imaging computers across the Postal Service infrastructure.
The team has also developed custom digital forensic applications for leveraging vast Postal data resources.

Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both
overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence
matters.

Linton Wells II, Ph.D., NDU

Dr. Linton Wells II is a Distinguished Research Professor and serves as the Transformation Chair at National
Defense University (NDU). Prior to coming to NDU he served in the Office of the Secretary of Defense (OSD) from
1991 to 2007, serving last as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration).
In addition, he served as the Acting Assistant Secretary and DoD Chief Information Officer for nearly two years.
His other OSD positions included Principal Deputy Assistant Secretary of Defense (Command, Control, Communications
and Intelligence) and Deputy Under Secretary of Defense (Policy Support) in the Office of the Under Secretary of
Defense (Policy).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a
destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations
analysis; Pacific, Indian Ocean and Middle East affairs; and C3I.

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967
and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns
Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in
international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in
Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese
Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between
policy and technology, scuba diving, and flying. He has three times been awarded the Department of Defense
Medal for Distinguished Public Service.

Reverse DNS Tunneling Shellcode

Ty Miller

Track: 0-Day

Remote exploitation of client-side vulnerabilities are falling short due to
the shellcode often failing to connect back to the attacker. The creation of
"Reverse DNS Tunneling Shellcode" will allow client-side exploits to be much
more effective by using DNS as a tunneling protocol. This increases the success
rate of client-side exploitation attempts by using this more stable tunneling
technique.

The number of vulnerabilities found within external systems and services are
decreasing making it less likely to directly exploit externally accessible
systems to gain access to an internal network. Thankfully for Hackers and
Penetration Testers client-side vulnerabilities are still rampant, such as in
web browsers, plugins, local software and operating systems. This has increased
interest in creating and using exploits for client-side vulnerabilities. It is
quite common for an exploit to be successful, however, still fail to connect
back to the attacker due to firewalls preventing direct outbound connections,
HTTP tunneling failing to detect, connect or authenticate out via proxies, or
complexities in hijacking established connections, if they exist.

Reverse DNS Tunneling shellcode is a new technique for shellcode that
increases the success rate of client-side exploit attempts by using the DNS
protocol. DNS provides a number of advantages over other protocols. Most remote
exploitation attempts of client-side vulnerabilities aim to attack
workstations. Workstations are almost always pre-configured to use an internal
DNS server, which we can use to tunnel our connection out. DNS also does not
require authentication, where as HTTP tunneling does, which means that DNS has
fewer barriers to bypass in order to escape the internal network. This is
important since it means that the chance of successful exploitation is much
higher when using Reverse DNS Tunneling Shellcode.

So how does Reverse DNS Tunneling Shellcode work? The client-side exploit
kicks off the shellcode, which then creates unique DNS probes using subdomains
of the attacker's domain. These probes get sent from the workstation to the
internal DNS server, and then out to the DNS servers throughout the Internet,
eventually making it back to the attacker's DNS server. At this point the
attacker's custom DNS server (currently written in Perl) receives the probe and
prompts the attacker with a command line (attacker smiles). The attacker can now
enter commands to be executed on the remote victim system. The custom DNS
server then encodes the command with Base32 encoding, splits and delimits the
encoded command to fit within the DNS protocol specifications, and sends the
encoded command back in the DNS response. The Reverse DNS Tunneling Shellcode
on the victim host then receives and decodes the DNS response to reveal the
underlying command, and then executes it on the victim system. The output of
this command is then Base32 encoded, split, delimited, numbered, and sent back
to the attacker across numerous DNS requests. The custom DNS server will then
use the request IDS to reconstruct the encoded DNS request data to reveal the
command output to the attacker (who smiles again). Once this process has
completed, the shellcode then reverts back to probing the attacker for their
next command.

There are ways to protect against this type of attack, such as implementing
Split DNS that will allow organizations to prevent DNS requests from exiting
their internal network. This would prevent the DNS probes from getting to the
attacker. From experience, most organizations do not currently use Split DNS
(except for larger, more security aware organizations), and therefore, this
attack still has an extremely high success rate. Network IDS systems could also
potentially be configured to detect trends of multiple large DNS requests to a
single domain. One downfall of this technique is the shellcode size limitations
that specific vulnerabilities may have. This is not the case when exploiting
heap overflows using the "Heap Feng Shui" technique developed by Alexander
Sotirov.

This allows an attacker to detect and take advantage of a number of different
ways out of the organization, enabling multiple sessions to be created on the
victim host. This would again dramatically increase the success rate of
client-side exploits, and also has the added advantage of creating multiple
redundant sessions to the attacker for connection stability.

Ty Miller

Ty Miller is the Chief Technical Officer and Penetration Tester for Pure
Hacking in Sydney, Australia. Ty has performed penetration tests against
thousands of systems for large Banking, Government, Telecommunications, and
Insurance organizations worldwide, and has designed and managed large security
architectures for a number of Australian and Multi-national organizations within
the Education and Airline industries. Ty is one of the authors of the next
edition of the Hacking Exposed Linux book, where he wrote the web application
hacking chapter. He holds a Bachelor of Technology in Information and
Communication Systems from Macquarie University, Australia. Ty is a certified
ISECOM OPST and OPSA Instructor, and contributes to the Open Source Security
Testing Methodology Manual. Ty was also involved in the development of the CHAOS
Linux distribution, which aimed to be the fastest, most compact, secure and
straight-forward openMosix cluster platform available. His other interests
include web application hacking, as well as exploit and shellcode
development.

Satan is on My Friends List: Attacking Social Networks

Shawn Moyer and Nathan Hamiel

Track: App Sec 1.0 / 2.0

Social Networking is shaping up to be the perfect storm An implicit trust of
those in ones network or social circle, a willingness to share information,
little or no validation of identity, the ability to run arbitrary code (in the
case of user-created apps) with minimal review, and a tag soup of client-side
user-generated HTML. Yikes.

But enough about pwning the kid from homeroom who copied your calc homework.
With the rise of business social networking sites, there are now thousands of
public profiles with real names and titles of people working for major banks,
the defense and aerospace industry, federal agencies, the US Senate... A
target-rich and trusting environment for custom-tailored, laser-focused
attacks.

Shawn Moyer and Nathan Hamiel

Shawn Moyer is CISO of Agura Digital Security, a web and network security
consultancy. He has led security projects for major multinational corporations
and the federal government, written for Information Security magazine, and
spoken previously at BH and other conferences.

Shawn is currently working on a slash fanfic adaptation of 2001:A Space Odyssey, told from the
perspective of Hal9000. He only accepts friend requests on Facebook if they
include a DNA sample and a scanned copy of a valid driver's license or passport.

Nathan Hamiel is a Senior Consultant for Idea
Information Security and the founder of the Hexagon Security Group. He is also
an Associate Professor at the University of Advancing Technology. Nathan has
previously presented at numerous other conferences including DefCon, Shmoocon,
Toorcon, and HOPE.

Natahan spent much of DefCon 15 without shoes
and is planning ahead this year with a defense-in-depth approach that includes
failover footwear. He has 1,936 people in his extended network, and finds that
disturbing on a number of levels.

Viral Infections in Cisco IOS

Ariel Futoransky

Track: Rootkit Arms Race

Rootkits are very common in most popular Operating Systems like Windows,
Linux, Unix and any variant of those but they are rarely seen in embedded OS's.

This is due to the fact that most of the time embedded OS's are closed
source, hence internals of the OS are unknown and reverse engineering process is
harder than usual. In real life, it's very common that once an attacker takes control of a
system he or she needs to maintain access to it so a rootkit is installed.

The rootkit seizes control of the entire system running on that hardware
by hiding files, processes, network connections, allowing unauthorized users to
act as system administrators, etc..

This paper demonstrates that a rootkit with those characteristics can be
easily created and deployed for a closed source OS like IOS and run unnoticed by
system administrators by surviving to most, if not all, of the security measures
given by experts on the field.

As a proof of this, different ways to infect a target IOS will be shown
like run-time patching and image binary patching. To discuss the binary patching
technique from a practical point of view, a
set of python scripts that provides a the methods to insert a generic rootkit
implementation called DIK (Da Ios rootKit) will be introduced and it's done in
plain C for IOS. Also other techniques like run-time image infection will be discussed in
detail.

Ariel Futoransky

Ariel Futoransky, a co-founder of Core, is the head of CoreLabs, the company's research
and development center. As such, he is responsible for all day-to-day research and publishing
activities. Since 1996, Futoransky has been working to transform promising technologies into
competitive advantages for the company and its customers. Prior to co-founding Core, Futoransky
served as a member of the Special Projects Group at the Argentine tax agency and served as a
consultant for several government agencies and corporations. Futoransky has distinguished himself
as a multiple award winner in the International Olympiad in Informatics (IOI), where he won a
silver medal in Stockholm in 1994, three gold medals in Buenos Aires in 1991-1993, and a
bronze medal in 1992 in Bonn, Germany.

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

Junichi Murakami

Track: Virtualization

Recently malware has become more stealthy and thus harder to detect, than
ever before. Current malware uses many stealth techniques, such as dynamic code
injection, rootkit technology and much more. Moreover, we have seen full kernel
mode malware like Trojan.Srizbi.

Many detection tools were released that specialize in kernel mode malware and
especially in the detection of rootkits. However, these tools are a cat and
mouse game, because they and the malware are executed on the same privilege
level.

This is why we developed an IPS based on a hypervisor, which uses features of
hardware virtualization. It is executed on Ring-1 and thus runs with higher
privileges than the OS layer.

In this session, we will talk about stealth mechanisms used by recent malware
and demonstrate how to protect against such malware using Hypervisor IPS.

Junichi Murakami

Junichi Murakami is a Senior Research Engineer at Fourteenforty Research
Institute, Inc, and a member of the Alpha Unit Research & Development team. He
is interested in kernel space related security technology on both Windows and
Linux. He has developed LKM(Loadable Kernel Module) rootkits and rootkit
detectors for Linux as a student. His work can be found in chkrootkit and
StMichael projects. He also developed a comprehensive honeypot system for
collecting malware. Currently, he focuses on Windows based malware and the
reverse engineering thereof.

Mifare -- Little Security, Despite Obscurity

Karsten Nohl

Track: Hardware

Radio Frequency Identification (RFID) tags are becoming ubiquitous and can
already be found in touch-less entry systems, all major credit cards, most car
keys, and many ticketing systems. Mifare are the most widely deployed brand of
cryptographic RFID tags and their security relies on proprietary security, in
spite of the well known fact that security-through-obscurity does not work.
We find the secret algorithms from Mifare tags by using a combination of
image analysis of circuits and protocol analysis. In this process, we open
silicon chips, take pictures under a microscope, employ and adapt computer
vision algorithms, design and build radio equipment, simulate circuits, and
finally use cryptanalysis to assess the security of the discovered algorithms.
Our project is the first non-classified work to provide a methodology for
hardware reverse-engineering and corrects the belief that this process is
necessarily expensive.
Our analysis of the widely used Mifare RFID tags reveals that its actual
security is well below the claimed security level due to a number of design
flaws. The security of the analyzed tag is clearly insufficient for many of its
applications. Consequently, ever since news of our results first surfaced,
several current deployments of the tags have been brought under public scrutiny.
Most notably, a nationwide ticket system for public transport in the Netherlands
must now be re-engineered. During a parliamentary discussion on this subject,
politicians have called for proprietary technology to be avoided in favor of
open designs.

Karsten Nohl

Karsten hacks hardware with folks at CCC and some of the Shmoos. He is
currently finishing his PhD at UVa where his research bridges theoretical
cryptography and hardware implementation. Some of his current projects deal with
RFID crypto, privacy protection, and the value of information.

Living in the RIA World: Blurring the Line Between Web and Desktop Security

Justine Osborne, Security Consultant, iSEC Partners

Track: App Sec 1.0 / 2.0

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity,
they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps.
They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web
developers, corporate security teams, and external security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison
between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed
with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze
the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms.
Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will
be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of
RIA applications.

Justine Osborne is a Security Consultant with iSEC Partners where she specializes in the security analysis of complex web and Win32 applications. Her research interests include web applications and dynamic vulnerability assessment tools. She holds a BS in Computer Science from Mills College.

Mobitex Network Security

olleB

Track: OTA

This talk will give an overview of the Mobitex wireless networking technology and infrastructure (www.mobitex.org). A detailed
presentation of the authentication (subscriber identity) and privacy (anti-sniffing) features will be
presented and fundamental weaknesses in both will be presented along with suggested improvements and "best practice" advice
for implementors of applications built on Mobitex and other wide-area coverage wireless network standards.

olleB has been working in the IT-security industry since 1999 and has a background in UNIX systems administration.
In his spare time he enjoys tinkering with tech and building security related tools under the banner of the Toolcrypt group (www.toolcrypt.org).
He has held numerous security training courses of the "hands on/attacker perspective" type on behalf of past employers and has presented at T2
and CanSecWest security conferences.

Software Radio and the Future of Wireless Security

Track: OTA

Radios are everywhere. We use them daily in car stereos, cordless phones, car key fobs, proximity
access cards, laptops, television tuners, garage door openers, mobile phones, and headsets, to name a
few. To build one of these radio devices in the traditional manner, you would need some electronic
components (including, in many cases, a microprocessor), a soldering iron, and a fairly advanced
knowledge of electronic circuit design. All that is changing, however, with the emergence of
software radio. The digital technologies that revolutionized the audio world over last thirty
years are now bringing the same revolution to the radio world. General purpose computers are
becoming fast enough to function as sophisticated radio devices with minimal hardware peripherals.
In the future, all radios will be software radios, and all practical wireless security tools will
be implemented with software radio.

This presentation will describe the state of software radio, discuss future trends, and
point out current and future applications of software radio technologies to wireless security
research. Particular attention will be given to tools and resources that are available today,
helping attendees without a background in RF technology to get started in the field. Practical
attacks will be demonstrated using GNU Radio and the Universal Software Radio Peripheral.

Michael Ossmann is an information security researcher for the Institute for Telecommunication Sciences at the U. S. Department of Commerce
Boulder Laboratories. He has served as the information security officer for a hospital system, as a consultant, and as a system and network administrator. Michael
is best known for his 2004 article, WEP:Dead Again, and the 5-in-1 Network Admin's Cable featured in the premiere issue of Make.

Playing by Virtual Security Rules: How Virtualization Changes Everything and What to Do about It

Steve Pate

Track: Turbo Talks

Virtualization completely changes the risk to information theft. Traditional
physical security systems become ineffective, disk encryption no longer protects
the operating system, and sensitive data becomes more portable than ever before.
This talk will cover the security risks of virtualized environments, common
hacking techniques, how virtualization effects traditional security practices,
and presents a new model for securing virtualized environments.

Steve Pate

Steve Pate is CTO of Vormetric and has 20 years of operating system technology
experience primarily in the areas of filesystem and storage technologies. He has
been involved in projects using numerous versions of UNIX, Linux and microkernel
technologies. Most recently he has been involved in several startups building
distributed storage technology. Steve spent 8 years in the Veritas filesystem
group where he was responsible for delivering solutions across multiple versions
of UNIX and Linux. Prior to that he was responsible for the architecture of SCO's
UNIX and microkernel developments. Steve began his career with International
Computers Limited (ICL) where he led the Development of a microkernel-based
implementation of System V Release 4 UNIX. Steve is a published author with
two books on UNIX operating system and filesystem internals.

Client-side Security

Petko D. Petkov

Track: App Sec 1.0 / 2.0

Client-side software generally refers to a class of computer programs that
are executed on the client, by the user's supporting environment, instead of the
server. Both, clients and servers are in constant interaction. In a Web
environment, the client is represented by the user's web browser, while the
server is the remote computer, which serves dynamic content. In a much broader
context, the client-server relationship can be represented by a network client
connected to a WiFi network.

This paper describes numerous techniques for attacking Clients-side
technologies. The content of the paper is based on the research that has been
conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

If Apple responds before the event, I will drop the details of a QuickTime
0day for Windows Vista and XP.

Petko D. Petkov

I enjoy breaking things, researching stuff and in general hacking whatever I
am interested in. I am running GNUCITIZEN, an ethical hacker outfit.

Malware Detection Through Network Flow Analysis

Bruce Potter, Founder, Shmoo Group

Track: The Network

Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day
attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses
that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks
are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at
its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security
engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient
to use.

This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow
implementation available on almost all their routers, has been used for years for network engineering purposes. And while
there has been some capability for security analysis against these flows, there has been little interest until recently.
This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis
techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis
tool, and show specific examples of how to detect malware on live networks.

Bruce Potter is the founder of the Shmoo Group which is made up of security, crypto, and
privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing
and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network
analysis, trusted computing, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several
books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by
O'Reilly and "Mac OS X Security" by New Riders.

Temporal Reverse Engineering

Danny Quist, Colin Ames

Track: Reverse Engineering

Reverse engineering a program requires considerable patience and skill. The
amount of information that has to be analyzed can be overwhelming, and often
times the relevant portions of code represent a very small part of the overall
program. One of the most effective methods for reverse engineering a program is
to analyze the changes in memory state. This provides a fine grained view of
execution, intent, and functionality. To analyze changes of state correctly you
have to use a combination of static and dynamic methods. We will present our
work on the use of process checkpointing as a means to track the changes in
program state. Visualization changing process state can be used to reduce the
amount of time necessary to analyze a program. As a demonstration we will
analyze information protection systems, a known piece of malware, the Storm worm
and a benign application.

Danny Quist

Danny Quist is currently CEO and co-founder of Offensive Computing, LLC, a
security vulnerability consulting company. He is a Ph.D. candidate at New Mexico
Tech working on automated analysis methods for malware using software and
hardware assisted techniques. He holds a patent for a network quarantine system.
His research interests include reverse engineering and exploitation methods.

Colin Ames

Colin Ames is a security researcher with Offensive Computing LLC where he
consults for both the private and public sectors. He's currently focused on Pen
testing, Reverse Engineering, Malware Analysis and Steganographic research.

Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World

Mike Reavey, Steve Adegbite, Katie Moussouris

Track: Deep Knowledge

Has Microsoft lost its mind??!! Yes and no! Three top security dudes (one
technically being a dudette) at Microsoft have come up with three new programs
that will change the face of the vulnerability industry.

Mike Reavey

As group manager of the Microsoft Security Response Center (MSRC) at
Microsoft Corp., Mike Reavey works with security teams to proactively identify
and communicate critical software vulnerabilities to customers. Building on
Microsoft’s commitment to Trustworthy Computing, Mr. Reavey’s responsibilities
include responding to vulnerability reports, engaging with the security
community, and collaborating with internal product groups to provide updates to
customers and help protect them from computing security threats. Part of a
collective initiative to better protect software users from such threats, Mr.
Reavey’s team is constantly evolving its response capabilities. Reavey was
deeply involved in Microsoft’s work combating the Zotob, Sasser and Blaster
outbreaks, and has helped MSRC continually prove its ability to respond to
attacks and blended threats. His goal for the group is to continue to evolve in
the wake of new threats and serve as the first and best source of information
for customers and internal teams.

Steve Adegbite

Stephen aka Capn Steve Adegbite is a Senior Security Strategist in the MSRC
Security Ecosystem Strategy Team, working in the group that is responsible for
securing current and future Microsoft products. Steve started off in the computer
field as a scared 10 year old who discovered his father TRS-80 and proceeded to
take apart to see how it worked. He then couldnt put it back together. He later
discovered the early NYC hometown BBS and the kind people on it, who took pity
on him and helped him to put it back together and learn the early Art of hacking
(not the bad kind of course ?).

Steve went on to hone his chi on vulnerability intelligence, application
security and Information assurance through many years in the Marine Corps
Communication and signal Intelligence community. While there he founded
the first ever Information Assurance red team charge with adversarial
testing of the Marine Corps Enterprises Network (MCEN). He also at
time was the officer in charge of the Marine Corps Emergency Response
Team (MAR-CERT) component to the Joint Task Force Global Network Operation
Center (JTF-GNO). Following that, he worked as an Information Operations
specialist for various light and dark places within the US government.

Katie Moussouris

Katie Moussouris is a Security Strategist in the MSRC Security Ecosystem
Strategy Team, working in the group that is responsible for securing current
and future Microsoft products. Katie began her nerdy life programming her
C64 in grade school, writing her own Zork-like text-based adventure – which
was of limited use, since she had no friends and she knew all the puzzles
in her own game. Good thing she eventually left her room and found some
like-minded people at a local 2600 meeting.

Katie’s professional background is application security, having come from
Symantec by way of the @stake acquisition. Katie founded and ran the Symantec
Vulnerability Research Program, the first program of its kind in Symantec's
history to allow the publication through Responsible Disclosure of original
vulnerability advisories discovered by Symantec researchers. In addition
to performing security research, Ms. Moussouris has been an application
penetration tester for fortune 500 companies across numerous industries.
She has uncovered serious vulnerabilities during the course of her work
before they could be widely exploited by hooligans and criminals for either
fun or profit, respectively.

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler UsingTraffic Profiling

Ivan Ristic, Ofer Shezaf

Track: 0-Day Defense

Web application security is a big problem, yet there is never enough time to
dedicate to solving the issue or, at least, making it smaller. To help with
this, we embarked on a project that would enable you to tighten the security of
your web applications with little effort. The project, called ModProfiler, aims
to provide best-possible protection for web applications by analysing web
application traffic passing by. This new open source tool builds on the success
of ModSecurity (also open source), which is generally considered to be the most
widely deployed web application firewall.

The premise is simple: ModProfiler works by observing what's valid and what's
not, resulting with a tight application shield designed around the positive
security model concept. The process of shield construction is not as simple, but
the complexity is hidden away. This talk, presented by Ivan Ristic and Ofer
Shezaf, the authors of the tool, will give you an insight into the technology
behind the scenes, and enable you to get the most out of it.

Ivan Ristic

Ivan Ristic is an open source advocate, entrepreneur, writer, programmer and
application security researcher. He is the principal author of ModSecurity
(http://www.modsecurity.org), the open source intrusion detection and prevention
engine for web applications, considered by many to be the most widely deployed
web application firewall. Through ModSecurity and by leading the Web Application
Firewall Evaluation Criteria project, Ivan works to make the web application
firewall technology available to everyone, honestly discussing its advantages
and disadvantages at the same time. His book, Apache Security
(http://www.apachesecurity.net), is a concise yet comprehensive web security
guide for the Apache web server. Ivan is an active participant in the web
application security community, officer the Web Application Security Consortium
and the leader of the OWASP London Chapter. Ivan's blog is at
http://blog.ivanristic.com.

Ofer Shezaf

Ofer Shezaf is VP Security Research at Breach Security Inc. and leads IT
security research at the company. He is responsible for defining security
features for Breach Security’s products and driving the diverse research
activities of Breach Security Labs, the research arm of Breach Security. Ofer's
research program is focused on the design and operations of web application
firewalls including leading the Core Rule Set project, an open source project
for generic detection of application layer attacks. Ofer serves as an officer of
the Web Application Security Consortium (WASC) where he leads the Web Hacking
Incidents Database project. He also leads the Israeli chapter of the Open Web
Application Security Project (OWASP). Prior to joining Breach Security, Shezaf
was a group manager and later a special advisor on national infrastructure
protection for the Israeli government and intelligence forces

Alternative Medicine: The Malware Analyst's Blue Pill

Paul Royal

Track: Reverse Engineering

Modern malware contains a myriad of anti-debugging, anti-instrumentation, and
anti-VM techniques that pose challenges to security professionals who want to
understand an instance’s malicious runtime behavior. Static analysis of malware
can be similarly stymied by code obfuscations created using custom or best-of
packers, and execution-based unpacking must deal with the same challenges as
those focusing on runtime behavior. Robust tracing programs and automated
deobfuscation tools help the analysis process, but given that nearly all of
these approaches reside in or emulate part of the guest OS, the result is a
fast-moving, ever-escalating detection/detection-prevention arms race.

In an effort to evolve the nature of the obfuscation/deobfuscation game
played between malware authors and security practitioners, this presentation
will discuss the design and implementation of completely external malware
analysis approaches that operate through the use of hardware virtualization
extensions (e.g., Intel’s VT). To motivate their need, highlights of detection
attacks for existing in-guest or emulation-based approaches will also be
presented.

In addition to showing how virtualization extensions can be carefully
leveraged to create tracing and instrumentation techniques, construction of and
source code for a (KVM-based) simple prototype allowing for fine-grained tracing
and instrumentation will be provided. Test cases showing that the prototype
prevents a malware instance from inferring that it is being spied upon or that
the environment is not baremetal will also be presented.

Paul Royal

Paul Royal is Principal Researcher at Damballa, Inc., an Atlanta-based company
whose primary focus is botnet detection and remediation. In his role at Damballa,
Paul collaborates with researchers and engineers to design new techniques for and
apply ongoing research efforts in the implementation of sandboxes, sensors and
analyzers used for the discovery and identification of bot behavior. Paul received
his Bachelor and Master of Science in Computer Science from the Georgia Institute
of Technology in 2004 and 2006, respectively. As a graduate student he studied
binary analysis under Dr. Wenke Lee, focusing on the topics of automated malware
processing and transformation.

Detecting & Preventing the Xen Hypervisor Subversions

Joanna Rutkowska, Rafal Wojtczuk

Track: Virtualization

We discuss various anti-subverting techniques (IOMMU/VT-d, Xen’s driver- and
stub- domains, etc) and whether they really can protect the Xen (or similar)
hypervisor from compromises. After demonstrating that those mechanisms can be
bypassed, we will switch to discussing hypervisor integrity scanning and will
present some prototype solutions to this problem.

This presentation is the second one in the series of the three talks about
Xen (in)security presented by Invisible Things Lab at this year’s Black Hat,
collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience
to attend the “Subverting the Xen hypervisor” presentation before coming to this
talk. The follow up presentation is titled:
“Bluepilling the Xen hypervisor”.

Joanna Rutkowska

Joanna Rutkowska is a recognized researcher in the field of stealth malware
and system compromises. Over the past several years she has introduced several
breakthrough concepts and techniques on both the offensive and defensive side in
this field. Her work has been quoted multiple times by international press and
she is also a frequent speaker at security conferences around the world.

Rafal Wojtczuk

Rafal Wojtczuk has 10 years experience with computer security. He has found
vulnerabilities in popular operating systems and virtualization software. He has
published articles on advanced exploitation techniques, among others about
exploiting buffer overflows in partially randomized address space environment.
He is also the author of libnids, a low-level packet reassembly library. In July
2008 he joined Invisible Things Lab, the company known for research in
hypervisor security.

Bluepilling the Xen Hypervisor

Alexander Tereshkin, Joanna Rutkowska

Track: Virtualization

We discuss how to insert Bluepill on top of the running Xen hypervisor (x64).
We will show how to do that both with and without restart (i.e. on the fly). To
make this possible, our Bluepill needs to support full nested virtualization, so
that Xen can still function properly. We will also discuss how the “Bluepill
detection” methods proposed over the last 2 years, as well as the integrity
scanning methods discussed in the previous speech, fit into this new scenario
and how far we are from the stealth malware’s Holy Grail ;)

This presentation is the last one in the series of the three talks about Xen
(in)security presented by Invisible Things Lab at this year’s Black Hat,
collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience
to attend the “Subverting the Xen hypervisor” and “Detecting and Preventing the
Xen hypervisor subversions” presentations before coming to this talks.

Joanna Rutkowska

Joanna Rutkowska is a recognized researcher in the field of stealth malware
and system compromises. Over the past several years she has introduced several
breakthrough concepts and techniques on both the offensive and defensive side in
this field. Her work has been quoted multiple times by international press and
she is also a frequent speaker at security conferences around the world.

Alexander Tereshkin

Alexander Tereshkin, principal researcher of Invisible Things Lab, is a
seasoned reverse engineer and expert into Windows kernel, specializing in
rootkit technology, kernel exploitation and hardware virtualization security. He
presented several sophisticated ideas for rootkit creation and personal firewall
bypassing in the past few years. He has done significant work in the field of
virtualization based malware and kernel protection bypassing. He is a co-author
of "Understanding Stealth Malware" course taught with Joanna Rutkowska.

Return-Oriented Programming: Exploits Without Code Injection

Hovav Shacham

Track: 0-Day

We describe return-oriented programming, a generalization of return-into-libc
that allows an attacker to undertake arbitrary, Turing-complete computation
without injecting code.

New computations are constructed by linking together code snippets that end
with a "ret" instruction. The ret instructions allow an attacker who controls
the stack to chain instruction sequences together. Because the executed code is
stored in memory marked executable, W^X and DEP will not prevent it from
running.

W^X and DEP, along with many other ecurity systems, make the assumption that
preventing the introduction of malicious code is sufficient to prevent the
introduction of malcious computation. With the return-oriented computing
approach, this assumption is false: subverting control flow on the stack is
sufficient to construct arbitrary computation from "known-good" code.

On the x86 one can obtain useful instruction sequences by jumping into the
middle of intended instructions, but
return-oriented programming is possible even on RISC platforms that are
very different from the x86.

Hovav Shacham

Hovav Shacham joined UC San Diego’s Department of Computer Science and
Engineering in Fall 2007. Shacham received his Ph.D. in computer science in 2005
from Stanford University, where he had also earned, in 2000, an A.B. in English.
His Ph.D. advisor was Dan Boneh. In 2006 and 2007, he was a Koshland Scholars
Program postdoctoral fellow at the Weizmann Institute of Science, hosted by Moni
Naor. Shacham’s research interests are in applied cryptography, systems
security, and tech policy. In 2007, Shacham participated in California Secretary
of State Debra Bowen’s “Top-to-Bottom” of the voting machines certified for use
in California. He was a member of the team reviewing Hart InterCivic source
code; the report he co-authored was cited by the Secretary in her decision to
withdraw approval from Hart voting machines.

Meet The Owner Of a Real Hacked Company - Forensic Investigation

Mark Shelhart

Track:

Meet Jimmy,

Jimmy owns a restaurant that was compromised by credit card hackers. Hear
his story told by Jimmy, as well as the forensic investigator that worked the
case.

We will cover details of what the attacker specifically did, along with
EnCase screenshots. We will also let Jimmy talk about what this meant to him,
his family, and his business.

Mark Shelhart

Mark Shelhart has over 14 years experience in Information Security. Mark is
the Forensic Practice Manager within Trustwave's SpiderLabs team focusing his
expertise on investigating system and network compromises. Mark's case work
involves data security breaches, intellectual property theft and litigation
support for businesses, government, and universities worldwide. As a speaker,
Mark often presents on current threats and technology seen as part of forensic
investigations. Recently, he has been presented on behalf of EnCase, Infragard,
Tripwire, and VeriFone.

MetaPost-Exploitation

Val Smith, Colin Ames

Track: App Sec 1.0 / 2.0

When penetration testing large environments, testers require the ability to
maintain persistent access to systems they have exploited, leverage trusts to
access other systems, and increase their foothold into the target. Post
exploitation activities are some of the most labor intensive aspects of pen
testing. These include password management, persistant host access, priviledge
escalation, trust relationships, aquiring GUI access, etc. Penetration testers
acquire hashes, crack them, keep track of which passwords go with which
usernames / systems and finally reuse this information to penetrate further
systems.

This paper will first cover the technical details of these topics as well as
some examples of manual methods currently in use during penetration tests. Next
we will present some improvements to these techniques and demonstrate some tools
we have developed which can be integrated with other popular applications such
as Metasploit. We will also demonstrate automated methods for using collected
password intelligence to penetrate massive numbers of systems. Finally we will
suggest some future directions for this area.

Val Smith

Val Smith has been involved in the computer security community and industry
for over ten years. He currently works as a professional security researcher on
problems for both the government and private sectors. He specializes in
penetration testing (over 40,000 machines assessed), reverse engineering and
malware research. He works on the Metasploit Project development team as well as
other vulnerability development efforts. Most recently Valsmith founded
Offensive Computing, a public, open source malware research project.

Colin Ames

Colin Ames is a security researcher with Offensive Computing LLC where he
consults for both the private and public sectors. He's currently focused on Pen
testing, Reverse Engineering, Malware Analysis and Steganographic research.

How To Impress Girls With Browser Memory Protection Bypasses

Alexander Sotirov, Mark Dowd

Track: App Sec 1.0 / 2.0

Over the past several years, Microsoft has implemented a number of memory
protection mechanisms with the goal of preventing the reliable exploitation of
common software vulnerabilities on the Windows platform. Protection mechanisms
such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory
corruption vulnerabilities and at first sight present an insurmountable obstacle
for exploit developers.

This talk aims to present exploitation methodologies against this
increasingly complex target. We will demonstrate how the inherent design
limitations of the protection mechanisms in Windows Vista make them ineffective
for preventing the exploitation of memory corruption vulnerabilities in browsers
and other client applications.

Each of the aforementioned protections will be briefly introduced and its
design limitations will be discussed. We will present a variety of techniques
that can be used to bypass the protections and achieve reliable remote code
execution in many different circumstances. Finally, we will discuss what
Microsoft can do to increase the effectiveness of the memory protections at the
expense of annoying Vista users even more.

Alexander Sotirov

Alexander Sotirov has been involved in computer security since 1998, when he
started contributing to Phreedom Magazine, a Bulgarian underground technical
publication. For the past ten years he has been working on advanced
exploitation, reverse engineering and vulnerability research. His recent work
includes the discovery of the ANI vulnerability in Windows Vista and the
development of the Heap Feng Shui browser exploitation technique. Alexander is
one of the organizers of the Pwnie Awards. He is currently employed as a
security researcher at VMware.

Mark Dowd

Mark Dowd is an expert in application security, specializing primarily in
host and server based Operating Systems. His professional experience includes
several years as a senior researcher at ISS, where he uncovered a variety of
major vulnerabilities in ubiquitous Internet software. He also worked as a
Principal Security Architect for McAfee, where he was responsible for internal
code audits, secure programming classes, and undertaking new security
initiatives. Mark has also co-authored a book on the subject of application
security named "The Art of Software Security Asssessment", and has spoken at
several industry-recognized conferences.

Deeper Door - Exploiting the NIC Chipset

Track: Root Kit Arms Race

In this presentation we will discuss a couple of significant problems in existing IDS / Firewall technology and present
a proof of concept "chipset" level rootkit / network backdoor that is capable of bypassing virtually all host based firewall
and intrusion detection software on the market. These, of course, include popular, widely deployed software like Snort and
Zone Alarm Security Suite. Our backdoor operates at an even deeper level than previous backdoors (e.g. Joanna's "DeepDoor"
rootkit) because it interacts directly with the chipset interface of the NIC hardware. Capabilities include the ability to
both covertly send AND recieve packets. We use both of these capabilities to implement a simple command and control interface.
Implications for security vendors include the exfiltration of sensitive information and delayed detection of malware threats
like DDOS attacks, Botnes, and Worms.

Sherri Sparks is President of the Florida company, Clear Hat Consulting, Inc. Currently, her research
interests include offensive / defensive stealth code technologies and digital forensics. She has spoken at Black Hat on these
topics and has taught the Black Hat Offensive Aspects of Rootkit Technology. Her published articles have appeared in Usenix
Login; ACSAC, Security Focus, and Phrack magazine. With an increasing involvement in providing consulting / training services
for independent clients, she co-founded the company Clear Hat Consulting, Inc. in early 2007. Clear Hat Consulting specializes
in Windows kernel and hypervisor development as it relates to stealth rootkit technology, digital forensics, and other
custom software security solutions.

Shawn Embleton is the CTO of the Florida company, Clear Hat Consulting, Inc. Shawn
spoke at Black Hat in 2006 on the topic of using evolutionary computation for automated vulnerability
analysis and co-authored a prototype intelligent fuzz testing tool, named Sidewinder. During 2007,
Shawn co-taught the Black Hat Offensive Aspects of Rootkit Technology class with Sherri Sparks and
co-founded Clear Hat Consulting, Inc. Some of his current interests include hardware virtualization
and chipset level rootkit technology.

A Fox in the Hen House (UPnP IGD)

Jonathan Squire

Track: Turbo Talks

Easy is the mantra of consumer devices these days. “Just plug it in and it
works. No configuration needed.” All this simplicity hopefully causes one to
pause and wonder, how is this possible?

This presentation will demonstrate the dangers of the often overlooked
Universal Plug and Play (UPnP) Internet Gateway Device (IGD) profile. UPnP IGD
is commonly enabled on modern home cable modem/wireless routers. UPnP IGD allows
applications such as games and chat clients to request needed port forwards
without the user’s intervention. Many of these routers do not even display
these port mappings in their administrative interfaces.

In this presentation we will walk the audience through the simple steps
needed to modify the port mappings on a common wireless router and discuss some
of the potential attacks that can be performed. Sample code will be demonstrated
that dynamically adds and removes port forwarding rules from the router to
expose internal services to the internet. This simple attack is performed
without any need for authentication and the new forwarding rules generally
aren’t visible in the web interface of the router.

Jonathan Squire

Jonathan Squire is a founding member of the Information Security Group of a
well known publishing and media company. While working at his day job, Jonathan
is credited with accomplishments that include developing an Information Security
model for the enterprise, architecting a secure, centralized credit card
processing solution, and guiding the design of the security infrastructure
deployed throughout many customer facing properties. Mr. Squire is also
responsible for providing direction in governance and industry best practices.
In his spare time, Jonathan is known to enjoy disassembling any piece of
technology that cost more than $20 just to find out what else it can do. This
propensity for abusing technology is easily witnessed by viewing the buckets of
broken parts strewn throughout his basement as well as the creations that rise
from the rubble.

Living in the RIA World: Blurring the Line Between Web and Desktop Security

Alex Stamos, Founding Partner, iSEC Partners

Track: App Sec 1.0 /2.0

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant
Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the
easy install experience of thin Web apps. They intentionally blur the line between websites and traditional
desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external
security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA
world and to provide a comparison between the security models of the leading RIA platforms. We will
discuss how current attacks against web applications are changed with RIA as well as outline new types
of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed
to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of
these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and
Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms
as well as sample malicious code demonstrating the danger of RIA applications.

Alex Stamos is a Founding Partner of iSEC Partners and is an experienced security engineer
and consultant specializing in application security and incident response. He is a leading researcher in the
field of web application and web services security and has been a featured speaker at top industry conferences
such as BlackHat, DefCon, SyScan, Infragard, Microsoft BlueHat, Toorcon, the Web 2.0 Expo and OWASP AppSec. He
holds a BSEE from the University of California, Berkeley, and spends his spare time chasing his baby son and
sailing on the SF bay.

Concurrency Attacks in Web Applications

Scott Stender

Track: App Sec 1.0 / 2.0

Modern web application frameworks are designed for developer productivity and
performance. They are highly scalable, object-oriented, and can be used to
create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage
programming practices that make managing state difficult for a typical
programmer. In order to have a web application that is robust in a
multi-threaded environment, the developer must carefully manage access to all
resources that can shared by threads. Global variables, session variables,
database access, and back-end systems are common examples of such resources, not
to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed
properly. As we have seen with almost every other prevalent class of security
flaws, mistakes happen often when doing the right thing is difficult. To make
things worse, concurrency flaws are often subtle and are identified only through
difficult targeted testing.

This presentation will provide deep technical background against this class
of flaw, enumerate testing techniques that help identify when flaws are present,
and demonstrate tools that automate the process.

Scott Stender

Protocols and Encryption of The Storm Botnet

Joe Stewart

Track: Bots & Malware

This talk will provide an in-depth, detailed explanation of how the
network and encryption protocols of the Storm botnet work together to
create a massive and resilient peer-to-peer network capable of sending
billions of spams per day.

Joe Stewart

Joe Stewart is Director of Malware Research with SecureWorks. As a leading
expert on malware and Internet threats, he is a frequent commentator on security
issues for leading media outlets such as The New York Times, MSNBC, Washington
Post, USA Today and others. Joe has presented his security research at many
conferences such as RSA, Black Hat, DEFCON, ShmooCon, RECON, Netsec and
others.

Xploiting Google Gadgets: Gmalware and Beyond

Tom Stracener

Track: Bots & Malware

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame
gadgets that rotate through pictures of puppies to calendars, and inline email
on your iGoogle homepage. This talk will analyze the security history of Google
Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will
also show ways to create Gadgets that allow you to port scan internal systems
and do various javascript hacks via malicious (or useful) gadgets, depending on
your point of view. We've already ported various javascript attack utilities to
Google Gadgets (like PDP's javascript port scanner) among other things. We will
also disclose a zero day vulnerability in Google Gadgets that makes Gmalware
(Gmodules based malware) a significant threat. This talk will be given
by Robert Hansen (Rsnake) and Tom Stracener (Strace)

Tom Stracener

Robert "RSnake" Hansen

Robert Hansen is CEO and Founder of SecTheory. Mr. Hansen (CISSP) has worked for Digital Island, Exodus Communications and Cable & Wireless
in varying roles from Sr. Security Architect and eventually product managing many of the managed
security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust
and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he
worked as a director of product management for Realtor.com. Robert sits on the advisory board
for the Intrepidus Group, Just Thrive, previously sat on the technical advisory board of
ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen authors content on O'Reilly, Dark Reading and co-authored "XSS Exploits" by
Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation
group focusing on web application security scanners and the Web Application Security Scanners
Evaluation Criteria (WASC-WASSEC) group. He also speaks at SourceBoston, Secure360, GFIRST/US-CERT,
Toorcon, APWG, ISSA, TRISC, OWASP/WASC, Microsoft's Bluehat, Blackhat, DefCon and Networld+Interop.
Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP,
APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.

Windows Hibernation File for Fun and Profit.

Matthieu Suiche

Track: Deep Knowledge

This presentation aims to describe Windows hibernation file format and his
modification since Windows 2000. Hibernation provides an official way to dump
the physical memory into a specific file called hiberfil.sys. This last one is
fully undocumented and until now there is no documentation about it.

Matthieu Suiche

Matthieu Suiche is a 19 freelance security researcher. He worked as intern
for EADS, and is currently participating to Google Summer of Code. He has been
speaker in various talks in France for Microsoft and others events, and in Japan
during PacSec. Matthieu focuses on the following application of reverse
engineering:software security, advanced threat research, malware protection and
analysis, and computer forensics. His website can be found at
http://www.msuiche.net

REST for the Wicked

Bryan Sullivan

Track: Web 2.0

Let's face it: SOAP sucks. Especially when it comes to Web 2.0 applications.
Many high-profile web sites have come to this same conclusion: Amazon, MySpace,
Yahoo, and others are abandoning SOAP in favor of REST. REST (Representational
State Transfer), and particularly REST used in combination with JSON, is faster,
more scalable, and easier to implement than SOAP. But, do all these benefits
come at the cost of security?
REST can be especially susceptible to attacks like Cross-Site Request
Forgery and JavaScript Hijacking; and worse, the usual remediation tactics that
developers use to defend their apps against these attacks do not apply to REST
services. In this presentation, I will demonstrate threats facing RESTful web
services, myth-bust commonly proposed defense techniques, and provide
appropriate development practices for defending REST.

Bryan Sullivan

Bryan is a Security Program Manager on the Security Development Lifecycle
(SDL) team at Microsoft. He is a frequent speaker at industry events, including
Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on web
application security topics. His first book, "Ajax Security" was published by
Addison-Wesley in 2007.

Inducing Momentary Faults Within Secure Smartcards / Microcontrollers

Christopher Tarnovsky, Flylogic Engineering, LLC.

Track: Hardware

This presentation is intended for individuals with an understanding of the
Intel 8051 and Motorola 6805 processor families from an Assembly language
perspective. This will be an interactive presentation with the audience.

Log files will be examined that have been taken from the targets (smartcards)
at every clock cycle of the CPU during its runtime. We will discuss our
possibilities and determine points in time (clock cycle periods) to momentarily
induce a fault within the target.

Our goal will be to override the normal behavior of the target for our own
use such as

Temporary changes- Readout of normally private records from the device

Both smartcards contain a Cryptographic co-processor and are known to have
been used to secure Data, PCs, laptops and Sun-Ray terminals.

Flylogic Engineering, LLC. specializes in analysis of semiconductors from a security "how
strong is it really" standpoint. We offer detailed reports on substrate attacks which define
if a problem exists. If a problem is identified, we explain in a detailed report all aspects of
how the attack was done, level of complexity and so on. This is something we believe is unique
and allows the customer to then go back to the chip vendor armed with the knowledge to make them
make it better (or possibly use a different part).

ePassports Reloaded

Jeroen van Beek, Security Consultant

Track: Privacy & Anonymity

In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008, the rumor goes that Elvis is still alive or at least his passport is.
This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents
with non-original content and ways to attack these mechanisms.

Jeroen van Beek is a Security Consultant and Security Researcher with over 6 years of professional experience
in network security and penetration testing. In 2007 he presented the world’s first publicly available full blown cracker for
Oracle 11g. vonJeek is a well-known guest speaker at several Dutch universities. Besides security, he likes sleeping, drinking
wine, the sun and fast red Italian motorcycles.

Nmap: Scanning the Internet

Fyodor Vaskovich

Track: The Network

The Nmap Security Scanner was built to efficiently scan large networks, but
Nmap's author Fyodor has taken this to a new level by scanning millions of
Internet hosts as part of the Worldscan project.

He will present the most interesting findings and empirical statistics from
these scans, along with practical advice for improving your own scan
performance. Additional topics include detecting and subverting firewall and
intrusion detection systems, dealing with quirky network configurations, and
advanced host discovery and port scanning techniques. A quick overview of
new Nmap features will also be provided.

Fyodor Vaskovich

Fyodor (known to his family as Gordon Lyon) authored the open source Nmap
Security Scanner in 1997 and continues to coordinate its development. He also
maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security
resource sites and has authored seminal papers on stealth port scanning, remote
operating system detection, version detection, and the IPID Idle Scan. He is a
founding member of the Honeynet project and co-author of the books "Know Your
Enemy:Honeynets" and "Stealing the Network:How to Own a Continent". His newest
book, Nmap Network Scanning, is due for release this year. Fyodor is President
of Computer Professionals for Social Responsibility (CPSR), which has been
promoting free speech, privacy, and useful technology since 1981.

Track: 0-day

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as
possible. In the spirit of the Food Network's cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient
(the code), and then let the challenger and the 'Iron Hacker' face off in a frenetic security battle. The guest panel will
judge the tools created and used to determine who's hack-fu will be victorious and who will be vanquished.

Remember, our testers have only one hour to complete their challenge and they will be restricted to their respective
choice of bug-finding techniques: One team will use static analysis, while the other will employ fuzzing. Watch as the
masters wield their weapons of choice. What will they concoct? Who will come out victorious? Which techniques will prove
most effective in a high-pressure every-minute-counts environment? Come and see for yourself!

Visit 'Vulnerability Stadium' and watch a fierce battle. Our contestants will have upwards of five minutes to discuss
their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide
running commentary, encourage the competitors and judge the results with the audience, based on originality of created
tools, presentation of the number of bugs, and creativity of using the tools when searching for vulnerabilities. So Black
Hat attendees... with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Jacob West manages Fortify Software's Security Research Group, which is
responsible for building security knowledge into Fortify's products. Jacob brings expertise
in numerous programming languages, frameworks, and styles together with knowledge about how
real-world systems can fail. When he is not in the lab, Jacob spends time speaking at conferences
and working with customers to advance their understanding of software security.

Brian Chess is the Chief Scientist at Fortify Software. His work focuses
on practical methods for creating secure systems. Brian draws on his previous research in
integrated circuit test and verification to find new ways to uncover security issues before
they become security disasters. Brian has his Ph.D. in computer engineering from UC Santa Cruz.
Brian has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Sean Fay works at Fortify Software, where he is the lead engineer for
Fortify Source Code Analysis. Sean holds a degree in Literature and a degree in Computer
Science, both from the Massachusetts Institute of Technology. None of Sean's diverse set
of hobbies are suitable for print in a family-oriented publication.

Subverting the Xen Hypervisor

Rafal Wojtczuk

Track: Virtualization

Bluepill and Vitriol are well-known projects that install a malicious
hypervisor in run-time. Can one achieve the same stealth backdoor functionality
when a legal hypervisor is already present, by modifying its code? Such attempt
would face at least the following difficulties:

a) the hypervisor may protect itself against modification in runtime

b) it may be nontrivial to integrate foreign code with the hypervisor

This presentation will demonstrate how to subvert Xen hypervisor (on
32bit x86 platform) to gain backdoor functionality. The following topics will be
covered:

e) implementation of a backdoor residing in a hidden, unprivileged domain,
allowing for remote commands execution in dom0

The code implementing the above will be demonstrated.

Attendees should know the basics of virtualization technologies and Linux
kernel internals.

This presentation is the first one in the series of the three talks about Xen
(in)security presented by Invisible Things Lab at this year’s Black Hat,
collectively referred as “Xen 0wning trilogy”. The remaining talks are:
“Detecting and Preventing the Xen hypervisor subversions” and “Bluepilling the
Xen hypervisor”.

Rafal Wojtczuk

Rafal Wojtczuk has 10 years experience with computer security. He has found
vulnerabilities in popular operating systems and virtualization software. He has
published articles on advanced exploitation techniques, among others about
exploiting buffer overflows in partially randomized address space environment.
He is also the author of libnids, a low-level packet reassembly library. In July
2008 he joined Invisible Things Lab, the company known for research in
hypervisor security.

Leveraging the Edge: Abusing SSL VPNs

Mike Zusman

Track: The Network

Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform
reconnaissance, data extraction, or general mischief INSIDE the Corporate
Intranet and on SSL VPN clients. Such security devices are usually thought to
add security to the enterprise network, while increased client side attack
surface from required mobile code (ActiveX/Java) goes ignored.

This presentation will discuss programming and infrastructure flaws
permitting abuse of the server, remote code execution on vulnerable clients, as
well as appropriate countermeasures.

Mike Zusman

Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining
Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale
Communications (a Microsoft subsidiary), Security Program Manager at Automatic
Data Processing, and lead architect & developer at a number of smaller firms. In
addition to his corporate experience, Mike is an independent security
researcher, and has responsibly disclosed a number of critical vulnerabilities
to commercial software vendors and other clients. Mike has also founded a number
of successful entrepreneurial ventures including Global Uplink Solutions
Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish
Uplink LLC, a leader in satellite TV subscription activations in the US. Mike
holds the CISSP certification.